TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of the service that provides access to TruSTAR IOCs in STIX and TAXII format.
TAXII Services Supported
Currently we support the following TAXII services
Used by a TAXII Client to request information from a TAXII Server.
Used by a TAXII Client to request information about available Data Collections or request a subscription.
Used by a TAXII Client to discover available TAXII Services.
We currently support TAXII V1.1 and STIX V1.2 .
You will need a TAXII client to connect to TruSTAR’s TAXII server. There are a number of open source clients available - we recommend using the Libtaxii repository available here: https://github.com/TAXIIProject/libtaxii
TruSTAR TAXII Server Parameters
URL to connect
Use your TruSTAR API Key. Available here: https://station.trustar.co/settings/api
User your TruSTAR API Secret. Available here: https://station.trustar.co/settings/api
Collection to use
See next section
The TruSTAR TAXII service provides a subset of IOCs from the platform through the collections described below. Please note that each collection will return data from the TruSTAR platform for previous 24 hours.
Collection of all IP addresses.
Collection of all URL’s.
Collection of all MD5 hashes.
Collection of all SHA1 hashes.
Collection of all SHA256 hashes.
Collection of all email addresses.
Collection of all registry keys.
Libtaxii Client Calls
python discovery_client.py -u https://taxii.trustar.co/services/discovery --username <API credential> --pass <API key>
Poll a specific collection
python poll_client.py -u https://taxii.trustar.co/services/poll --collection
collection-indicator-IP --username <API credential> --pass <API key>
- I want to retrieve IOCs from only specific enclaves. How do I restrict the result set from the poll action to specific enclaves?
- The existing TAXII poll command does not allow users to specify custom parameters like enclave ID's. To retrieve results from a specific enclave we recommend creating a new user and restricting that user's permissions to the enclaves from which you want results. You can use this user's API key and API secret as the username and password in the TAXII poll command.
Please reach out to firstname.lastname@example.org for any additional questions.