Custom TAXII Client A, B, C

Updated 3 weeks ago by TruSTAR

TruSTAR's TAXII Client offers users a convenient method to ingest intelligence from other TAXII services into enclaves into the TruSTAR Platform. This enables users to normalize intelligence from STIX-TAXII supported tools and leverage high-fidelity Indicators within workflow tools.

Source Type

Premium Intel

Update Type

Feed-style

  • will poll collections
  • will not query TAXII servers for enrichment about specific indications

Update Frequency

15 mins

Setup time

10 mins

Observables Supported

Requirements

  • 3d-party TAXII Server must support these protocol versions:
    • TAXII V1.2
    • STIX V1.2
  • TruSTAR User Permissions: Company Administrator role

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel to view the feeds available.
  4. Click Subscribe on the "TAXII Client A" box.
  5. Enter the information requested and click Save Credentials & Request Subscription. (refer to marketplace tile setup below for more details on filling out tile information)

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

To connect to a second TAXII client, use the TAXII Client B tile in the Marketplace.

Configuring the Custom TAXII Client

TAXII server url

POLL URL of the TAXII server you want to connect to poll collections from.

  • NOT the discovery URL.
  • NOT the base URL.
  • NOT the collections URL.

API Username

Username for the TAXII server to connect.

API Password

Password for the TAXII server to connect.

PEM File Contents

(optional, rare)

Some TAXII servers require .pem keys for authentication. You'll paste your PEM file contents into the field provided in the dialog box when subscribing / configuring.

PEM File Format Sample

Collections

Comma-separated list of the TAXII server collections you want submitted into TruSTAR.

STIX 1.x -> TruSTAR Reports Mapping

Understanding TruSTAR's Datamodel.
  • TruSTAR’s data-model is Indicator-centric, shifting away from report-centric.
  • Prior to August 2020, Custom TAXII Client put each entire STIX package in a TruSTAR Report Body.
  • In August 2020, Custom TAXII Client was updated to create 1 TruSTAR Report for each STIX Indicator and each STIX Observable in a given STIX package, to conform to TruSTAR's new (as of Aug 2020) Indicator-centric datamodel. 
  • In late 2021 / early 2022, Custom TAXII Client will be updated to submit indicators into TruSTAR's "structured ingest" API ( submit-indicators 2.0 ).
  • With the current Custom TAXII Client....:    
    • the observable / indicator values from your TAXII collections' STIX packages will all end up in Splunk kvstores (or your detection tool of choice) for detection.    
    • the context found in the STIX Indicator and/or STIX Observable will be pulled into enrichment comments in investigation / case-management tools by TruSTAR's case-management tool integrations. 

The Mapping.

Custom TAXII client creates 1 TruSTAR report for ALL of these:    

  • every STIX Indicator objects in the STIX package’s “Indicators” array.
  • every CYBOX Observable in the package’s “Observables” array.

A TruSTAR Report about a STIX Indicator will include: 

  • TruSTAR Report Title = STIX Indicator Title or description.   
  • TruSTAR Report External ID = base64(concatenate(STIX Pkg ID + STIX Indicator ID + Enclave ID))
  • TruSTAR Report Body contains a Dict:         
    { 
    'indicator_id': <STIX Indicator ID>,
    'indicator_title': <STIX Indicator Title or Description>,
    'indicator_type’: <STIX Indicator.indicator_types[0].value>,
    'indicator_confidence': <STIX Indicator.confidence.value.value>,
    'indicator_producer': <STIX Indicator.producer.identity.name>,
    'indicator_timestamp': <STIX Indicator.timestamp or STIX Indicator.producer.time.produced_time.value>,
    'indicator_tlp_color': <STIX Indicator.handling.marking[0].marking_structures[0].color,
    'observable': <STIX Indicator.observable.to_dict()>
    }

A TruSTAR Report about a STIX (CYBOX) Observable will include:

  • TruSTAR Report Title = STIX Observable Title or description.
  • TruSTAR Report External ID = base64(concatenate(STIX Pkg ID + STIX Observable ID + Enclave ID))
  • TruSTAR Report Body contains a Dict:
    { 
    'observable_id': <STIX Observable ID>,
    'observable_title': <STIX Observable.tltle or STIX Observable.description>,
    'observable_object': <STIX Observable.to_dict()>
    }

Known Issues

No reported issues.

Please contact support@trustar.co if you have issues with this integration.


How Did We Do?