STIX TAXII

Updated 2 months ago by Sachit Soni

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of the service that provides access to TruSTAR IOCs in STIX and TAXII format.

TAXII Services Supported 

Currently we support the following TAXII services

#

TAXII Service

Description

1

Poll

Used by a TAXII Client to request information from a TAXII Server.

2

Collection-Management

Used by a TAXII Client to request information about available Data Collections or request a subscription.

3

Discovery

Used by a TAXII Client to discover available TAXII Services.



Versions Supported

We currently support TAXII V1.1 and STIX V1.2 .

Configuration

Prerequisites

You will need a TAXII client to connect to TruSTAR’s TAXII server. There are a number of open source clients available - we recommend using the Libtaxii repository available here: https://github.com/TAXIIProject/libtaxii

TruSTAR TAXII Server Parameters

Description

Libtaxii parameter

Value

URL to connect

-u, --url

https://taxii.trustar.co/services/

Username

--username

Use your TruSTAR API Key. Available here: https://station.trustar.co/settings/api

Password

--pass

User your TruSTAR API Secret. Available here: https://station.trustar.co/settings/api

Collection to use

--collection

See next section


 Collections Available

The TruSTAR TAXII service provides a subset of IOCs from the platform through the collections described below. Please note that each collection will return data from the TruSTAR platform for previous 24 hours.

#

Collection Name

Description

1

collection-indicator-IP

Collection of all IP addresses.

2

collection-indicator-url

Collection of all URL’s.

3

collection-indicator-MD5

Collection of all MD5 hashes.

4

collection-indicator-SHA1

Collection of all SHA1 hashes.

5

collection-indicator-SHA256

Collection of all SHA256 hashes.

6

collection-indicator-EMAIL_ADDRESS

Collection of all email addresses.

7

collection-indicator-REGISTRY_KEY

Collection of all registry keys.



Libtaxii Client Calls 

Discovery
python   discovery_client.py   -u https://taxii.trustar.co/services/discovery --username <API credential> --pass <API key>
Poll a specific collection
python   poll_client.py   -u https://taxii.trustar.co/services/poll --collection
collection-indicator-IP --username <API credential> --pass <API key>

FAQ

  • I want to retrieve IOCs from only specific enclaves. How do I restrict the result set from the poll action to specific enclaves?
    • The existing TAXII poll command does not allow users to specify custom parameters like enclave ID's. To retrieve results from a specific enclave we recommend creating a new user and restricting that user's permissions to the enclaves from which you want results. You can use this user's API key and API secret as the username and password in the TAXII poll command.

Troubleshooting

Please reach out to support@trustar.co for any additional questions.






How Did We Do?