Cyware Taxii 2.x
App Vendor: Cyware
App Category: Data Enrichment & Threat Intelligence
App Version: 1.2.0
API version: v2.0/1
About App
The Cyware Taxii 2.x app allows security teams to integrate with TAXII servers to discover, collect, poll, and push data from/to a TAXII 2.x server. TAXII 2.x defines how the STIX data (threat intelligence information) is structured into collections, and how it can be accessed, retrieved, or exchanged.
The TAXII 2.x app in the Orchestrate application performs the following actions:
Action Name | Description |
|---|---|
Collection Data Request | This action retrieves data about a collection on the TAXII server using the collection ID. |
Root Discovery Request | This action makes a root request to get more information about the TAXII server, such as TAXII version, content length, and other organization-specific data. |
Discovery Request | This action makes a request to validate the TAXII server credentials and retrieve basic information about the TAXII server. |
Get Collections | This action retrieves all the available collections from the TAXII server. |
Poll Collections | This action polls and retrieves data about a particular collection from the TAXII server using the collection ID. |
Inbox request | This action makes a request to write STIX data to the TAXII server in JSON format. You must have write access to perform this action. |
Generic Action | This is a generic action to perform any additional use case on Cyware TAXII 2.x Client. |
Configuration Parameters
The following configuration parameters are required for the Taxii 2.x app to communicate with the Taxii 2.x enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
TAXII Base URL | Enter the entire TAXII base URL along with the discovery URL. Example: "https://baseurl.com/taxii2/discovery/" | Text | Required | |
TAXII Password | Enter the TAXII password. | Password | Required | |
TAXII Username | Enter the TAXII username. | Text | Required | |
Verify | Choose to verify SSL certificates. Example: true | Boolean | Optional | Default value: false Allowed values:
|
Action: Collection Data Request
This action retrieves the details about a collection on the TAXII server using the collection ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Collection ID | Enter the collection ID to retrieve details about about. Example: "b0ceb514-3b52-4199-8e3d-a7866ab8fdb1" | Text | Required |
Example Request
[
{
"collection_id": "b0ceb514-3b52-4199-8e3d-a7866ab8fdb1"
}
] |
Action: Root Discovery Request
This action makes a root request to get more information about the TAXII server, such as TAXII version, content length, and other organization-specific data.
Action Input Parameters
This action does not require input parameters.
Action: Discovery Request
This action makes a request to validate the TAXII server credentials and retrieve basic information about the TAXII server.
Action Input Parameters
This action does not require input parameters.
Action: Get Collections
This action retrieves all the available collections from the TAXII server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Offset | Enter the pagination offset. Example: "10" | Text | Optional | Available only on TAXII 2.0. Default value: "0" |
Limit | Enter response limit. Example: "100" | Text | Optional |
Example Request
[
{
"limit": "100",
"offset": "10"
}
] |
Action: Poll Collections
This action polls and retrieves data about a particular collection from the TAXII server using the collection ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Collection ID | Enter the collection ID to poll and retrieve data. Example: "b0ceb514-3b52-4199-8e3d-a7866ab8fdb1" | Text | Required | |
Date to Poll from | Enter the date in yyyy-mm-dd format from which you want to poll the TAXII server. Example: "2020-07-01" | Text | Optional | |
Offset | Enter the pagination offset. Example: "10" | Text | Optional | Available only on TAXII 2.0. Default value: "0" |
Limit | Enter response limit. Example: "100" | Text | Optional | |
Object ID | Enter a specific object to retrieve. Example: "23458756901" | Text | Optional | |
Next | Enter the next integer if the data is paginated. Example: "1456543" | Text | Optional | |
Object Type | Enter the indicator type to retrieve. Example: "indicator" | Text | Optional |
Example Request
[
{
"added_after": "2020-07-01",
"object_type": "indicator",
"object_id": "23458756901",
"collection_id": "b0ceb514-3b52-4199-8e3d-a7866ab8fdb1",
"limit": "100",
"next": "1456543",
"offset": "10"
}
] |
Action: Inbox request
This action writes STIX data to the TAXII server in JSON format.
Usage in Intel Exchange:
When you are inboxing (sending) STIX data to a TAXII server in Intel Exchange, the source specified in the Threat Data module is the subscriber added to the system.
You can the collection to which the STIX data is sent in the Source Collection column in Threat Data.
Note
You must have access to write data to the TAXII server.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
STIX object | Enter the STIX data to write to the TAXII server in JSON format. | Text | Required | |
Collection ID | Enter the collection ID to send the data. | Text | Required |
Example Request
[
{
"stix_bundle":"{\"objects\": [{\"id\": \"a9e5-3bd2-41bb-b543-05341\", \"lang\": \"en\",\"name\": \"CTIX\",\"type\": \"identity\", \"spec_version\": \"2.1\",\"created\": \"2021-06-02T05:58:46.325759Z\"}]}",
"collection_id":"b0ceb514-3b52-4199-8e3d-a7866ab8fdb1"
}
] |
Action: Generic Action
This is a generic action to perform any additional use case on Cyware TAXII 2.x Client.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Method | Enter the HTTP method. Example: "GET" | Text | Required | |
Endpoint | Enter the endpoint to make the request. Example: "collections/{collection_id}/objects/" | Text | Required | |
Payload | Enter the payload to pass to the API. Example: $JSON[{'object_type':'indicator'}]" | Any | Optional | |
Query Params | Enter the query parameters to pass to the API. Example: {'limit':20} | Key Value | Optional |
Example Request
[
{
"method":"GET",
"endpoint":"collections/{collection_id}/objects/",
"payload":[
{
"object_type":"indicator"
}
],
"query_params":{
"limit":20
}
}
]