Outgoing feed - TAXII 2.1 push#

Note

This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Create and configure outgoing feeds.

Specifications

Transport type

TAXII 2.1 push

Content type

STIX 2.1

Published data

For more information on STIX 2.1 support, see STIX compatibility.

Overview#

This outgoing feed publishes STIX 2.1 packages to a target remote TAXII 2.1 server.

To host a TAXII 2.1 server on the Intelligence Center that users can retrieve data from instead, see Outgoing feed - TAXII 2.1 poll.

Requirements#

  • A remote TAXII 2.1 server to publish data to.

  • Network access between the Intelligence Center and the TAXII 2.1 server.

  • A collection to write to on the TAXII 2.1 server.

  • A user with write access to that collection.

  • Username and password for that user.

Configure the outgoing feed#

  1. Create or edit an outgoing feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select TAXII 2.1 push from the drop-down menu.

    Content type*

    Select STIX 2.1 from the drop-down menu.

    Datasets*

    Select one or more existing datasets from the drop-down menu.

    Update strategy*

    Select an update strategy.

    Supported update strategies:

    • APPEND

    • REPLACE

    Auto Discovery*

    (Optional) To list all collections available for your credentials:

    1. Enter your Username and Password for the remote TAXII 2.1 server in the fields below.

    2. Enter the discovery endpoint for your remote TAXII 2.1 server.

      For example: https://taxii.example.com/taxii2/

    API Root URL*

    Enter the API root URL for the collection you want this outgoing feed to push data to.

    For example: https://taxii.example.com/example-api-root-name/

    Collection ID*

    Enter the identifier for the collection that you want this outgoing feed to push data to.

    This can be a UUID or an alias. For example:

    • f81d4fae-7dec-11d0-a765-00a0c91e6bf6

    • or critical-high-value-indicators

    For more information, see the TAXII 2.1 specifications.

    Username*

    Enter your user name for the remote TAXII 2.1 server.

    Password*

    Enter your password for the remote TAXII 2.1 server.

    TLS verification

    Selected by default.

    Extra HTTP headers

    Select + ADD to add custom HTTP headers to send when making requests to the target collection.

    Two fields will appear:

    • Enter the header name in the left field. E.g.: X-EXAMPLE-DATE

    • Enter the header value in the right field. E.g.: 2002-04-01T21:03:05.123456Z

    Processing > Observable and Enrichment Observable types > Observable types

    If your selected dataset(s) include indicator entities that do not have a STIX 2.1-compatible test mechanism defined, you must include observable types here.

    See Known issues below for more information.

  3. Store your changes by selecting Save.

Known issues#

See STIX 2.1 Known Issues.