TruSTAR TAXII Server

Updated 1 month ago by Elvis Hovor

This document provides a description of the TruSTAR TAXII server which provides access to IOCs in STIX and TAXII format.

Trusted Automated Exchange of Intelligence Information (TAXII) is an application layer protocol used to exchange cyber threat intelligence (CTI) over HTTPS. It enables organizations to share information using an API that aligns with common sharing models. TAXII is specifically designed to support the exchange of CTI represented in STIX, although it can share data in other formats as well.

The current version is TruSTAR_TAXIIv3.0.

TruSTAR also provides a TAXII client intelligence source through the Marketplace. This is a convenient way to ingest intelligence from other TAXII services into TruSTAR enclaves.

Features

  • Provides downloads of indicators from TruSTAR enclaves using your choice of STIX format.
  • Discover all available services with the TruSTAR TAXII Server.
  • Download indicators within a specified time window.
The TruSTAR TAXII service provides a subset of IOCs from the TruSTAR platform. Any query to a collection returns all IOCs in that collection that were submitted in the last 24 hours to any enclaves the user (whose API credentials are being used) has access to.

TAXII Services

The TruSTAR TAXII server supports the following TAXII services:

TAXII Service

Description

Poll

Request information from a TAXII Server.

URL: https://taxii.trustar.co/services/poll

Collection-Management

Request information about available Data Collections or request a subscription.

URL: https://taxii.trustar.co/services/collection-management

Discovery

Discover available TAXII Services.

URL: https://taxii.trustar.co/services/discovery

TAXII Collections

The TruSTAR TAXII Server offers the following IOC collections:

#

Collection Name

Description

1

collection-indicator-IP

Collection of all IP addresses.

2

collection-indicator-URL

Collection of all URL’s.

3

collection-indicator-MD5

Collection of all MD5 hashes.

4

collection-indicator-SHA1

Collection of all SHA1 hashes.

5

collection-indicator-SHA256

Collection of all SHA256 hashes.

6

collection-indicator-EMAIL_ADDRESS

Collection of all email addresses.

7

collection-indicator-REGISTRY_KEY

Collection of all registry keys.

8

collection-indicator-BITCOIN_ADDRESS

Collection of all bitcoin addresses.

9

collection-indicator-MALWARE

Collection of all malware names.

10

collection-indicator-THREAT ACTOR 

Collection of all threat actor names.

11

collection-indicator-PHONE NUMBERS

Collection of all TruSTAR phone number indicators.

12

Collection-indicators-details

Collection of all indicators of types listed above with the metadata information.

GUI Configuration

If your TAXII client meets the requirements listed above, you do not need to download or install any additional files in order to connect to the TruSTAR TAXII server. You can use the client's GUI to connect to the discovery service or the collection management service and find all collections available for download.

For example, if you are using Log Rhythm Threat Intelligence Services, you can use that TAXII client to connect to TruSTAR's TAXII server. More details on connecting to TruSTARs TAXII server using LogRhythm can be found here.

  1. Select the Add a STIX/TAXII Provider button. You now see a TAXII client setup page.
  2. Fill out the Information as it applies to your client:
  • TAXII Collection Endpoint: https://taxii.trustar.co/services/collection-management
  • Username: This is your API Authentication Key available on TruSTAR station. Click here to get it: https://station.trustar.co/settings/api
  • Password: This is your API Secret available on TruSTAR station. Click here to get it: https://station.trustar.co/settings/api
  • Certificate Authentication: Leave unchecked and ignore Certificate Password and Certificate Path.
  • Threat Provider Name: Use any name your of choice (Ex: "TruSTAR" or "TruSTAR Sharing Group IOCs")

You now see the list of available collections and you can select which ones to access via the TAXII client.

Command Line Usage

To query the TruSTAR TAXII server from the command line, TruSTAR recommends creating a Python 3 virtual environment, activating it, and pip-installing the libtaxii library. Anytime that virtual environment is activated, you can poll any TAXII server (including TruSTAR's) from the command-line by following the libtaxii project's documentation.

Other open-source TAXII clients:

TruSTAR TAXII Server Parameters

Description

Libtaxii parameter

Value

URL to connect

-u, --url

Always use: https://taxii.trustar.co/services/

Username

--username

Use your TruSTAR API Key. Available here: https://station.trustar.co/settings/api

Example: >>>......--username aca05832-f1a0-0184-8f67-5741fffe7a14......

Password

--pass

User your TruSTAR API Secret. Available here: https://station.trustar.co/settings/api

Example: >>>......--pass Tzw4FLIX0rW338i7jYU3UgU0......

Collection to use

--collection

See next section

Example: >>>.....--collection collection-indicator-IP.......

Time

--time

(Optional)

Specify a "from" time

Example:>>>..... -t <Time_in_UTC :00:00:000>

Allows the user to specify a "from" time; the TAXII server will return all IOCs from the enclaves your API credentials have View (or higher) access to whose "timeUpdated" attribute is between the time you specify in this parameter and the present moment.(default if not time is specified is last 24 hrs)

Proxy

--proxy

(Optional)

Specify a proxy

Example: >>>.....--proxy http://myproxy.example.com:80........

Cert

--cert

(Optional)

Specify a certificate file

Example: >>>.....--cert <MyCert.crt> 

Cert Key

--key

(Optional - Needed if you use --cert)

Example: >>> --key MyKey.key

Output

--xml-output or --json-output

(Optional)

Specify a STIX file output

Example:>>> --xml-output or json-output

(default is STIX formatted xml)

Client Calls and Responses

This section lists the libtaxii client calls and responses.

Discovery
python discovery_client.py -u https://taxii.trustar.co/services/discovery --username <API Credential> --pass <API key>

Sample Response

Request:

Message Type: Discovery_Request
Message ID: 377306701207002283

Response:

Message Type: Discovery_Response
Message ID: 6034388875283072057; In Response To: 377306701207002283
=== Service Instance ===
Service Type: POLL
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: https://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: Trustar indicator Poll Service description
=== Service Instance ===
Service Type: DISCOVERY
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: https://taxii.trustar.co/services/discovery
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: Trustar Discovery Service description
=== Service Instance ===
Service Type: COLLECTION_MANAGEMENT
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: https://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: Trustar Collection Management Service description
Poll a Specific Collection
python poll_client.py -u https://taxii.trustar.co/services/poll --collection collection-indicator-IP --username <API Credential> --pass <API key>

Sample Response

Request:

Message Type: Poll_Request
Message ID: 3641663190328146359
Collection Name: collection-indicator-IP
Excl. Begin TS Label: None
Incl. End TS Label: None
=== Poll_Parameters ===
Response type: FULL

Response:

Message Type: Poll_Response
Message ID: 3685762672097258501; In Response To: 3641663190328146359
Collection Name: collection-indicator-IP
More: False
Result ID: None
Result Part Num: 1
=== Content Block ===
Content Binding: urn:stix.mitre.org:xml:1.1>IP
Content length: 78959
(Content not printed for brevity)
Timestamp Label: 2019-03-12 23:12:34.222823+00:00
Message: None
Padding: None

File created: collection-indicator-IP_STIX11_t2019_03_12T23_12_34_222823_00_00.xml
Collection Management
python poll_client.py -u https://taxii.trustar.co/services/collection-management --username <API Credential> --pass <API key>

Sample Response

Request:

Message Type: Collection_Information_Request
Message ID: 2357215507238313583

Response:

Message Type: Collection_Information_Response
Message ID: 4748931395125127784; In Response To: 2357215507238313583
Contains 9 Collection Informations
=== Data Collection Information ===
Collection Name: collection-indicator-url
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-IP
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-MD5
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-SHA1
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-SHA256
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-SOFTWARE
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-EMAIL_ADDRESS
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-REGISTRY_KEY
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-CIDR_BLOCK
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
Optional Parameters
python poll_client.py -u https://taxii.trustar.co/services/poll -- collection collection-indicator-IP --time <Time_in_UTC :00:00:000> --username <API Credential> --pass <API key> --key <MyKey.key> --username<api_key> --proxy <http://myproxy.example.com:80> --xml-output 

STIX Package with additional metadata
<stix:Indicator id="example:indicator-8aad8469-1054-4f06-84ab-9460c98bf24e" timestamp="2020-04-15T17:14:31.607354+00:00" xsi:type="indicator:IndicatorType">
<indicator:Title>IP</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
<indicator:Description>IOC from Virus Total. Tags: [tag1, tag2]</indicator:Description>
<indicator:Observable id="example:Observable-78b22981-4365-4521-8086-f713635be7a4">
<cybox:Object id="example:Address-b6e908ac-8839-44f6-a872-e1469dd0d4af">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value>12.5.37.3</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2020-04-15T17:14:31.608393+00:00">
<stixCommon:Value>1</stixCommon:Value>
</indicator:Confidence>
<indicator:Sightings sightings_count="1366">
<indicator:Sighting timestamp="2020-04-15T14:14:31.608613+00:00"/>
</indicator:Sightings>
<indicator:Producer>
<stixCommon:Identity>
<stixCommon:Name>TruStar</stixCommon:Name>
</stixCommon:Identity>
</indicator:Producer>
</stix:Indicator>

Troubleshooting

Please reach out to support@trustar.co for any additional questions.


How Did We Do?