TAXII 2.1
To retrieve data from the ThreatConnect TAXII 2.1 server via the TAXII REST API, you must use a TAXII user account. If you do not have a TAXII user account, see the “Creating a TAXII User” section of the Using the ThreatConnect TAXII 2.1 Server knowledge base article.
Authentication
The TAXII REST API uses basic authentication, which is completed using the username and password of your TAXII user account.
Required Headers
The Accept header must be set to application/taxii+json;version=2.1.
Supported Endpoints
Refer to the following table descriptions of each available API endpoint on the ThreatConnect TAXII 2.1 server and supported HTTP method(s) for each endpoint.
Endpoint |
Method(s) |
Description |
|---|---|---|
|
GET |
Retrieve information about the ThreatConnect TAXII 2.1 server |
|
GET |
Retrieve information about all collections available on the ThreatConnect TAXII 2.1 server |
|
GET |
Retrieve information about a specific collection available on the ThreatConnect TAXII 2.1 server |
|
GET |
Retrieve manifest information about the contents of a specific collection available on the ThreatConnect TAXII 2.1 server |
|
GET |
Retrieve all objects from a specific collection available on the ThreatConnect TAXII 2.1 server |
|
GET |
Retrieve information about the TAXII 2.1 server and available API Roots |
Available Parameters
Parameters included in common STIX™ 2.1 frameworks are supported for the API endpoints listed in the preceding table.
Example Requests and Responses
GET /tc/taxii/
curl --location --request GET 'https://app.threatconnect.com/api/services/taxii2/v1/tc_taxii' --header 'Accept: application/taxii+json;version=2.1' --header 'Authorization: Basic {REPLACE THIS WITH BASIC AUTH}'
JSON Response
{
"description": "This TAXII 2.1 server contains Indicators of Compromise from the ThreatConnect API Root.",
"title": "ThreatConnect TAXII 2.1 Server API Root",
"versions": [
"application/taxii+json;version=2.1"
],
"max_content_length": 100
}
GET /tc_taxii/collections
curl --location --request GET 'https://app.threatconnect.com/api/services/taxii2/v1/tc_taxii/collections' --header 'Accept: application/taxii+json;version=2.1' --header 'Authorization: Basic {REPLACE THIS WITH BASIC AUTH}'
JSON Response
{
"collections": [
{
"description": "ThreatConnect Organization: Example Organization",
"title": "Example Organization",
"id": "a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1",
"type": "Organization",
"can_read": true,
"media_types": [
"application/taxii+json; version=2.1"
],
"alias": "Example Organization",
"can_write": false
},
{
"description": "ThreatConnect Community: Example Community",
"title": "Example Community",
"id": "b2b2b2b2-b2b2-b2b2-b2b2-b2b2b2b2b2b2",
"type": "Community",
"can_read": true,
"media_types": [
"application/taxii+json; version=2.1"
],
"alias": "Example Community",
"can_write": false
},
{...}
]
}
GET /tc_taxii/collections/{collection_id or org_name}/
curl --location --request GET 'https://app.threatconnect.com/api/services/taxii2/v1/tc_taxii/collections/Example%20Organization' --header 'Accept: application/taxii+json;version=2.1' --header 'Authorization: Basic {REPLACE THIS WITH BASIC AUTH}'
JSON Response
{
"title": "Example Organization",
"can_read": true,
"description": "ThreatConnect Organization: Example Organization",
"can_write": false,
"type": "Organization",
"alias": "Example Organization",
"id": "a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1",
"media_types": [
"application/taxii+json; version=2.1"
]
}
GET /tc_taxii/collections/{collection_id or org_name}/manifest/
curl --location --request GET 'https://app.threatconnect.com/api/services/taxii2/v1/tc_taxii/collections/Example%20Organization/manifest' --header 'Accept: application/taxii+json;version=2.1' --header 'Authorization: Basic {REPLACE THIS WITH BASIC AUTH}'
JSON Response
{
"objects": [
{
"version": "2021-12-13T20:37:44.000Z",
"media_types": "application/taxii+json;version=2.1",
"id": "indicator--a8029d03-e2dd-5fa2-a083-6668ba20e1a8",
"date_added": "2021-12-13T20:37:44.000Z"
},
{
"version": "2021-03-09T12:09:52.000Z",
"media_types": "application/taxii+json;version=2.1",
"id": "indicator--0f3b5690-fe26-5ee0-a1b0-3657cbae1af0",
"date_added": "2021-03-09T12:09:52.000Z"
},
{...}
]
}
GET /tc_taxii/collections/{collection_id or org_name}/objects/
curl --location --request GET 'https://app.threatconnect.com/api/services/taxii2/v1/tc_taxii/collections/Example%20Organization/objects?limit=10' --header 'Accept: application/taxii+json;version=2.1' --header 'Authorization: Basic {REPLACE THIS WITH BASIC AUTH}'
JSON Response
{
"next": "10",
"objects": [
{
"name": "TLP:AMBER",
"type": "marking-definition",
"definition_type": "tlp",
"spec_version": "2.1",
"created": "2017-01-20T00:00:00.000Z",
"definition": {
"tlp": "amber"
},
"id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
},
{
"name": "badguy.com",
"type": "indicator",
"spec_version": "2.1",
"pattern": "[domain-name:value = 'badguy.com']",
"valid_from": "2018-09-18T17:46:56.000Z",
"indicator_types": [
"malicious-activity"
],
"labels": [
"hacker”,
"Threat Rating: High"
],
"x_threat_rating": 4,
"confidence": 84,
"lang": "en",
"created": "2018-09-18T17:46:56.000Z ",
"description": "Malicious actor with tires to hacker networks.",
"modified": "2021-12-13T20:37:44.000Z",
"object_marking_refs": [
"marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed"
],
"pattern_type": "stix",
"id": "indicator--c3c3c3c3-c3c3-c3c3-c3c3-c3c3c3c3c3c3"
},
{...}
],
"more": true
}
Note
The request in this example includes the limit query parameter.
GET /taxii2/
curl --location --request GET 'https://app.threatconnect.com/api/services/taxii2/v1/taxii2' --header 'Accept: application/taxii+json;version=2.1' --header 'Authorization: Basic {REPLACE THIS WITH BASIC AUTH}'
JSON Response
{
"title": "ThreatConnect TAXII 2.1 Server",
"contact": "[email protected]",
"api_roots": [
"https://app.threatconnect.com/api/services/taxii2/v1/tc_taxii"
],
"description": "This TAXII 2.1 server contains Indicators of Compromise from ThreatConnect.",
"default": "https://app.threatconnect.com/api/services/taxii2/v1/tc_taxii"
}