TAXII Client Basics

Updated 1 week ago by Elvis Hovor

This document explains the basics of using a TAXII client to download data from the TruSTAR TAXII Server.

Requirements

The TAXII client you use must meet the following requirements in order to connect to the TruSTAR TAXII server:

  • TAXII Server Version 1.2
  • Able to accept STIX 1.2 formatted packages
  • TruSTAR API v1.3 (Provided by TruSTAR)
  • TruSTAR Python SDK v0.3.23 (Provided by TruSTAR)
  • Able to connect to these services supported by the TruSTAR TAXII Server:
    • Discovery
    • Collection Management
    • Collection Polling
A subscription ID is not required to access the TAXII server data.

Accessing an Enclave

By default, the TruSTAR TAXII server will serve IOCs from ALL enclaves that your user account (API credentials) has access to.

Downloading from a Single Enclave

To download from a single enclaves, TruSTAR recommends a two-step process:

  1. Create a new Station User Account. Think of this as a service account; use a team or group email address for this user account's username to distinguish its limited access from other user accounts that have full access to TruSTAR enclaves.
  2. Give that account view access only to the enclave you want to download from.

Downloading from Multiple Enclaves

If you need to download IOCs from multiple enclaves AND need to know which enclave each IOC came from, TruSTAR recommends creating several service accounts, with each account having view access to a single enclave. You can then make poll requests to the TAXII server one service account at a time.

If you are using a TAXII client within a third-party application (for example, LogRhythm), you must configure a new TruSTAR TAXII server connection for each enclave that you want to query.

Managing Whitelisted IOCs

When connecting your TAXII client to the TruSTAR TAXII server, the client will import all IOCs, even those that you have whitelisted.

To avoid this, there are two options:

  • Manually delete those indicators by hand in Station before the client connection is made
  • Programatically remove them from the TAXII Server's response to your TAXII client.


How Did We Do?