Incoming feed - TAXII 2.1 poll#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport type

TAXII 2.1 poll

Content type

STIX 2.1

Ingested data

See STIX compatibility

Processed data

This feed polls a remote TAXII 2.1 server to retrieve STIX 2.1 data and ingests them.

Configure the feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select TAXII 2.1 poll from the drop-down menu.

    Content type*

    Select STIX 2.1 from the drop-down menu.

    Auto Discovery

    Use this field to automatically set the API Root URL and Collection ID fields here.

    Enter a target TAXII 2.1 discovery endpoint URL and press Enter or select the Search icon (Search icon).

    This displays a list of collections available at the discovery endpoint.

    Tip

    To access a discovery endpoint that requires basic authentication, select Basic authentication before setting this field.

    API Root URL*

    Set this to a target API root.

    This can be automatically set with the **Auto

    Collection ID*

    Enter the collection ID of a target collection.

    Basic authentication

    Select to use basic authentication when connecting to the target TAXII 2.1 server. Fill out the Username and Password field that displays.

    Added after

    Select a date and time.

    Only ingest data added after this date from the target TAXII 2.1 server.

    If left empty, this feed assumes an Added after date of January 1st, 1970.

    Objects per run (max)

    Default: 100

    Set the maximum number of STIX 2.1 objects that this feed retrieves per request.

    Download time frame

    Select a windowing strategy when downloading data from the target TAXII 2.1 server.

    • Advancing: Only download objects added to the target collection since the last time packages were downloaded from it.

    • Fixed: Always download all objects added since the Added after date.

      The IC deduplicates entities when it processes the downloaded objects.

    TLS verification

    Selected by default. Select this option to enable SSL for this feed.

    Extra HTTP headers

    Select + ADD to add custom HTTP headers to send when making requests to the target collection.

    Two fields will appear:

    • Enter the header name in the left field. E.g.: X-EXAMPLE-DATE

    • Enter the header value in the right field. E.g.: 2002-04-01T21:03:05.123456Z

  3. Under Schedule, set an Execution schedule.

  4. Store your changes by selecting Save.

Known issues#

See STIX 2.1 Known Issues.