STIX TAXII

Updated 2 months ago by Sachit Soni

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of the service that provides access to TruSTAR IOCs in STIX and TAXII format.

TAXII Services Supported 

Currently we support the following TAXII services

#

TAXII Service

Description

1

Poll

Used by a TAXII Client to request information from a TAXII Server.

2

Collection-Management

Used by a TAXII Client to request information about available Data Collections or request a subscription.

3

Discovery

Used by a TAXII Client to discover available TAXII Services.



Versions Supported

We currently support TAXII V1.1 and STIX V1.2 .

Configuration

Prerequisites

You will need a TAXII client to connect to TruSTAR’s TAXII server. There are a number of open source clients available - we recommend using the Libtaxii repository available here: https://github.com/TAXIIProject/libtaxii

TruSTAR TAXII Server Parameters

Description

Libtaxii parameter

Value

URL to connect

-u, --url

https://taxii.trustar.co/services/

Username

--username

Use your TruSTAR API Key. Available here: https://station.trustar.co/settings/api

Password

--pass

User your TruSTAR API Secret. Available here: https://station.trustar.co/settings/api

Collection to use--collectionSee next section


 Collections Available

The TruSTAR TAXII service provides a subset of IOCs from the platform through the collections described below. Please note that each collection will return data from the TruSTAR platform for previous 24 hours.

#

Collection Name

Description

1

collection-indicator-IP

Collection of all IP addresses.

2

collection-indicator-url

Collection of all URL’s.

3

collection-indicator-MD5

Collection of all MD5 hashes.

4

collection-indicator-SHA1

Collection of all SHA1 hashes.

5

collection-indicator-SHA256

Collection of all SHA256 hashes.

6

collection-indicator-EMAIL_ADDRESS

Collection of all email addresses.

7

collection-indicator-REGISTRY_KEY

Collection of all registry keys.



Libtaxii Client Calls 

Discovery
python   discovery_client.py   -u https://taxii.trustar.co/services/discovery --username <API credential> --pass <API key>
          
Poll a specific collection
python   poll_client.py   -u https://taxii.trustar.co/services/poll --collection
          collection-indicator-IP --username <API   credential> --pass <API   key>
          

Troubleshooting

Please reach out to support@trustar.co for any additional questions.






How Did We Do?