STIX-TAXII

  • Updated on Feb 10, 2025
  • Published on Jul 11, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

STIX Data from a TAXII Service

✅

stix_taxii

JSON

Collection URL

Overview

About STIX

STIXâ„¢ (Structured Threat Information Expression) is a language and serialization format used to exchange cyber threat intelligence (CTI).

STIX enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.

STIX-TAXII and Hunters Integration

Hunters supports ingestion of STIX data via interacting with TAXII servers.

TAXIIâ„¢ (Trusted Automated Exchange of Intelligence Information) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner.

TAXII is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII is specifically designed to support the exchange of CTI represented in STIX.

Hunters STIX connector allows you to collect all of your STIX data and aggregate the IOCs from all your STIX services to a single source-of-truth table. Ingested Indicator IOCs are then available in our dedicated leads enrichments and out-of-the-box detections.

Supported Data Types

As mentioned above, Hunters supports the ingestion of STIX data via interacting with TAXII interfaces. The Hunters STIX-TAXII collector allows connections to any kind of TAXII server, providing any data in STIX format which is written into the stix_taxii table.

However, only STIX Indicator IOCs are incorporated in our dedicated enrichments and detections. This data type is recognized by a "type": "indicator" field in the data.

Sending Data To Hunters

In order for Hunters to collect your data you will need to provide Hunters a TAXII server details. Mostly it’s a server collection URL, a Username and a Password, although some TAXII servers are public and thus have no Password or Username required. Please note that TAXII servers typically have multiple URLs available for different requirements, the URL required for Hunters integration is the Collection URL (typically {your-taxii-server-main-url}/collection/. You’ll also need to provide Hunters with the server version - STIX/TAXII versions 2.1 (preferred) and 2.0 are supported, other versions are not supported.

In addition to the connection details, you’ll need to provide Hunters with Collection IDs you’d want to ingest to Hunters. From the TAXII documentation: A Collection is an interface to a logical repository of CTI objects provided by a TAXII Server that allows a producer to host a set of CTI data that can be requested by consumers.

Some STIX services share their connection details and Collection IDs online, and some services expose them to subscribed customers only (either via a customer portal or customer support, etc.).

After getting the relevant details from the STIX service, use them in the Hunters platform for setting up the ingestion.