Anomali ThreatStream

Updated 1 month ago by Sachit Soni

This document explains how to configure and use the Anomali ThreatStream TAXII client to collect Indicators of Compromise (IOC) data from the TruSTAR TAXII server and make that data available for analysis in ThreatStream.


  • Anomali ThreatStream
  • Access to your TruSTAR API Key and API Secret.
The TruSTAR TAXII server will serve IOCs from ALL enclaves that your user account has access to. If you want to download from specific enclaves or if you want to know the source enclave for the IOCs you are downloading, you should create separate service accounts for each enclave. For more information, see Customizing Enclave Access in the TAXII FAQ document.

Configuring the TAXII Client

  1. Navigate to Settings/TAXII and then click the TAXII Feeds tab.
  2. Click the Actions button and select New TAXII Feed.
  3. Select the options for the new feed:
  • Name for the TAXII Feed.
  • Expiration date. TruSTAR recommends using the default value of 90 days.
  • Whether to override the system confidence or not. If you check this option, set the confidence level. TruSTAR recommends using the default setting (unchecked).
  1. Navigate back to Settings/TAXII and click the Sites tab.
  2. Click the Actions button and select Add Site.
  3. Fill in the fields in the new site dialog box:
  • Descriptive Name: Enter a the feed name. TruSTAR recommends including TruSTAR in the name so that you can easily remember the feed source; for example, use TruStar - CLA.
  • Discovery URL: Enter this URL:
  • Authentication: Select Basic Authentication.
  • Username: Enter your TruStar API Key.
  • Password: Enter your TruStar API Secret.
  1. Click Add Site to create the new site. The new site appears on the Sites tab.
  2. Select the checkbox to the left of the site you just created, then [...] to configure it. This opens the settings for that site.
  3. Confirm that DISCOVERY OK is selected in the Discovery box.
  4. Click the Configure button under the collection name to access the feed configuration dialog.
  5. In the Feed Configuration dialog, enter this information:
  • Leave Subscription ID empty
  • Select an Interval for how often to poll
  • Select the date and time you want the poll to start
  • Click Save and Run Now to complete the configuration process.


If you do not see the Poll Collections tab after you have completed the configuration, check in the ThreatStream User Admin/Users page that the the user has been granted the Import to TAXII Feeds permission.

Please reach out to for any additional questions.

How Did We Do?