TAXII FAQ

Updated 1 month ago by Elvis Hovor

This document explains details of how the TruSTAR TAXII Server works with TAXII clients.

TruSTAR TAXII Server

Managing Whitelisted IOCs

When connecting a TAXII client to the TruSTAR TAXII server, the client will import all IOCs that you have whitelisted. To avoid this, you will need to manually delete those indicators by hand in Station.

To whitelisted indicators out of the TAXII Server's response, you must do that in code after receiving the response from the TAXII server.

Submitting Reports or IOCs

The TAXII server was designed to enable users to download the indicators that already exist in their enclaves. The TruSTAR TAXII server is not configured to allow you to send reports or indicators into your TruSTAR enclaves.

Reports can be submitted programmatically using TruSTAR's submit report REST API endpoint directly. The TruSTAR Python SDK's submit_report() method is a wrapper around that endpoint and makes submitting reports easier.

Customizing Enclave Access

The TruSTAR TAXII server will serve IOCs from ALL enclaves that the user account tied to the API credentials used in the poll request has access to.

To download IOCs only from specific enclaves, TruSTAR recommends creating a new Station User Account and giving that user account view access only to the enclaves from which you want to download IOCs via the TAXII server. Think of this as a service account; use a team or group email address for this user account's username to distinguish its limited access from other user accounts that have full access to TruSTAR enclaves.

If you need to download IOCs from multiple enclaves AND need to know which enclave each IOC came from, TruSTAR recommends creating several service accounts, with each service account having view access to a single enclave. You can then make poll requests to the TAXII server one service account at a time.

If you are using a TAXII client within a third-party application (for example, LogRhythm), you must configure a new TruSTAR TAXII server connection for each enclave you want to query.

Specifying a Time Window

The TruSTAR TAXII server accepts both "from" and "to" times that comply with TAXII standards.

If a poll request does not specify "from" or "to" times, the TAXII server returns all IOCs submitted within the last 24 hours for those enclaves.

FAQ

How far back can I download data from TruSTAR enclaves?

By default, you can get the last 24 hours of data from TruSTAR if no time parameter is specified. However, users can use optional parameters in the query to specify a time period. Refer to optional parameters in the TruSTAR TAXII Server document.

Where can I download public TAXII documentation?

OASIS has made the relevant files available here: https://docs.oasis-open.org/cti/taxii/v2.1/csprd02/taxii-v2.1-csprd02.zip

Troubleshooting

Please reach out to support@trustar.co for any additional questions.


How Did We Do?