TruSTAR TAXII Server

Updated 1 week ago by Elvis Hovor

This document provides a description of the TruSTAR TAXII server which provides access to Indicators in STIX and TAXII format.

Trusted Automated Exchange of Intelligence Information (TAXII) is an application layer protocol used to exchange cyber threat intelligence (CTI) over HTTPS. It enables organizations to share information using an API that aligns with common sharing models. TAXII is specifically designed to support the exchange of CTI represented in STIX, although it can share data in other formats as well.

The current version of the TruSTAR TAXII server is TruSTAR_TAXIIv3.0.

TruSTAR also provides a TAXII client intelligence source through the Marketplace. This is a convenient way to ingest intelligence from other TAXII services into your TruSTAR Enclaves.

Features

  • Exports Indicators from TruSTAR Enclaves using your choice of STIX format.
  • Exports indicators within a specified time window.
  • Discovers all available services with the TruSTAR TAXII Server.
The TruSTAR TAXII service provides a subset of Indicators from the TruSTAR platform. Any query to a collection returns all Indicators in that collection that were submitted in the last 24 hours to any Enclaves you have access to.

TAXII Services

The TruSTAR TAXII server supports the following TAXII services:

TAXII Service

Description

Poll

Request information from a TAXII Server.

URL: https://taxii.trustar.co/services/poll

Collection-Management

Request information about available Data Collections or request a subscription.

URL: https://taxii.trustar.co/services/collection-management

Discovery

Discover available TAXII Services.

URL: https://taxii.trustar.co/services/discovery

TAXII Collections

The TruSTAR TAXII Server offers the following IOC collections:

#

Collection Name

Description

1

collection-indicator-IP

Collection of all IP addresses.

2

collection-indicator-URL

Collection of all URL’s.

3

collection-indicator-MD5

Collection of all MD5 hashes.

4

collection-indicator-SHA1

Collection of all SHA1 hashes.

5

collection-indicator-SHA256

Collection of all SHA256 hashes.

6

collection-indicator-EMAIL_ADDRESS

Collection of all email addresses.

7

collection-indicator-REGISTRY_KEY

Collection of all registry keys.

8

collection-indicator-BITCOIN_ADDRESS

Collection of all bitcoin addresses.

9

collection-indicator-MALWARE

Collection of all malware names.

10

collection-indicator-THREAT ACTOR 

Collection of all threat actor names.

11

collection-indicator-PHONE NUMBERS

Collection of all TruSTAR phone number indicators.

12

collection-indicators-details

Collection of all Indicators of types listed above with the metadata information.

13

collection-indicator-ALL

Collection of all available Indicators of types listed above

GUI Configuration

If your TAXII client meets the requirements listed above, you do not need to download or install any additional files in order to connect to the TruSTAR TAXII server. You can use the client GUI to connect to the discovery service or the collection management service and find all collections available for download.

For example, if you are using Log Rhythm Threat Intelligence Services, you can use that TAXII client to connect to TruSTAR's TAXII server. More details on connecting to TruSTARs TAXII server using LogRhythm can be found here.

  1. Select the Add a STIX/TAXII Provider button. You now see a TAXII client setup page.
  2. Fill out the Information as it applies to your client:
  • TAXII Collection Endpoint: https://taxii.trustar.co/services/collection-management
  • Username: This is your TruSTAR API Key. Finding Your API Keys
  • Password: This is your TruSTAR API Secret.
  • Certificate Authentication: Leave unchecked and ignore Certificate Password and Certificate Path.
  • Threat Provider Name: Use any name your of choice (Ex: "TruSTAR" or "TruSTAR Sharing Group IOCs")

You now see the list of available collections and you can select which ones to access via the TAXII client.

Command Line Usage

To query the TruSTAR TAXII server from the command line, TruSTAR recommends creating a Python 3 virtual environment, activating it, and pip-installing the libtaxii library. Anytime that virtual environment is activated, you can poll any TAXII server (including TruSTAR's) from the command-line by following the libtaxii project's documentation.

Other open-source TAXII clients:

TruSTAR TAXII Server Parameters

Description

Libtaxii parameter

Required

Value

URL to connect

-u, --url

Yes

Always use: https://taxii.trustar.co/services/

Username

--username

Yes

Use your TruSTAR API Key. Finding Your API Keys

Example: >>>......--username aca05832-f1a0-0184-8f67-5741fffe7a14......

Password

--pass

Yes

User your TruSTAR API Secret.

Example: >>>......--pass Tzw4FLIX0rW338i7jYU3UgU0......

Collection to use

--collection

Yes

See next section

Example: >>>.....--collection collection-indicator-IP.......

Time

--time

No

Specify a "from" time

Example:>>>..... -t <Time_in_UTC :00:00:000>

Allows the user to specify a "from" time; the TAXII server will return all Indicators from the Enclaves you have View (or higher) access to whose "timeUpdated" attribute is between the time you specify in this parameter and the present moment.

Default is last 24 hours.

Proxy

--proxy

No

Specify a proxy

Example: >>>.....--proxy http://myproxy.example.com:80........

Cert

--cert

No

Specify a certificate file

Example: >>>.....--cert <MyCert.crt> 

Cert Key

--key

No

Only needed if you use the --cert parameter

Example: >>> --key MyKey.key

Output

--xml-output or --json-output

No

Specify a STIX file output. The default is XML.

Example:>>> --xml-output or json-output

Client Calls and Responses

This section lists the libtaxii client calls and responses.

Discovery
python discovery_client.py -u https://taxii.trustar.co/services/discovery --username <API Credential> --pass <API key>

Sample Response

Request:

Message Type: Discovery_Request
Message ID: 377306701207002283

Response:

Message Type: Discovery_Response
Message ID: 6034388875283072057; In Response To: 377306701207002283
=== Service Instance ===
Service Type: POLL
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: https://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: Trustar indicator Poll Service description
=== Service Instance ===
Service Type: DISCOVERY
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: https://taxii.trustar.co/services/discovery
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: Trustar Discovery Service description
=== Service Instance ===
Service Type: COLLECTION_MANAGEMENT
Service Version: urn:taxii.mitre.org:services:1.1
Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
Service Address: https://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
Available: True
Message: Trustar Collection Management Service description
Poll a Specific Collection
python poll_client.py -u https://taxii.trustar.co/services/poll --collection collection-indicator-IP --username <API Credential> --pass <API key>

Sample Response

Request:

Message Type: Poll_Request
Message ID: 3641663190328146359
Collection Name: collection-indicator-IP
Excl. Begin TS Label: None
Incl. End TS Label: None
=== Poll_Parameters ===
Response type: FULL

Response:

Message Type: Poll_Response
Message ID: 3685762672097258501; In Response To: 3641663190328146359
Collection Name: collection-indicator-IP
More: False
Result ID: None
Result Part Num: 1
=== Content Block ===
Content Binding: urn:stix.mitre.org:xml:1.1>IP
Content length: 78959
(Content not printed for brevity)
Timestamp Label: 2019-03-12 23:12:34.222823+00:00
Message: None
Padding: None

File created: collection-indicator-IP_STIX11_t2019_03_12T23_12_34_222823_00_00.xml
Collection Management
python poll_client.py -u https://taxii.trustar.co/services/collection-management --username <API Credential> --pass <API key>

Sample Response

Request:

Message Type: Collection_Information_Request
Message ID: 2357215507238313583

Response:

Message Type: Collection_Information_Response
Message ID: 4748931395125127784; In Response To: 2357215507238313583
Contains 9 Collection Informations
=== Data Collection Information ===
Collection Name: collection-indicator-url
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-IP
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-MD5
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-SHA1
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-SHA256
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-SOFTWARE
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-EMAIL_ADDRESS
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-REGISTRY_KEY
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================

=== Data Collection Information ===
Collection Name: collection-indicator-CIDR_BLOCK
Collection Type: DATA_SET
Available: True
Collection Description: None
Supported Content: All
=== Polling Service Instance ===
Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
Poll Address: http://taxii.trustar.co/services/poll
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
=== Subscription Service ===
Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
Address: http://taxii.trustar.co/services/collection-management
Message Binding: urn:taxii.mitre.org:message:xml:1.0
Message Binding: urn:taxii.mitre.org:message:xml:1.1
==================================
Optional Parameters
python poll_client.py -u https://taxii.trustar.co/services/poll -- collection collection-indicator-IP --time <Time_in_UTC :00:00:000> --username <API Credential> --pass <API key> --key <MyKey.key> --username<api_key> --proxy <http://myproxy.example.com:80> --xml-output 

STIX Package with additional metadata
<stix:Indicator id="example:indicator-8aad8469-1054-4f06-84ab-9460c98bf24e" timestamp="2020-04-15T17:14:31.607354+00:00" xsi:type="indicator:IndicatorType">
<indicator:Title>IP</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
<indicator:Description>IOC from Virus Total. Tags: [tag1, tag2]</indicator:Description>
<indicator:Observable id="example:Observable-78b22981-4365-4521-8086-f713635be7a4">
<cybox:Object id="example:Address-b6e908ac-8839-44f6-a872-e1469dd0d4af">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value>12.5.37.3</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Confidence timestamp="2020-04-15T17:14:31.608393+00:00">
<stixCommon:Value>1</stixCommon:Value>
</indicator:Confidence>
<indicator:Sightings sightings_count="1366">
<indicator:Sighting timestamp="2020-04-15T14:14:31.608613+00:00"/>
</indicator:Sightings>
<indicator:Producer>
<stixCommon:Identity>
<stixCommon:Name>TruStar</stixCommon:Name>
</stixCommon:Identity>
</indicator:Producer>
</stix:Indicator>

Troubleshooting

Please contact support@trustar.co for any additional questions.


How Did We Do?