Threat Intel TAXII2 API
Overview
Trusted Automated Exchange of Intelligence Information or TAXII, is a protocol used to exchange CTI (Cyber Threat Intelligence) data over https. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models and is specifically designed to support the exchange of CTI represented in STIX format.
Structured Threat Information eXpression or STIX, is a language format used to exchange CTI. STIX represents the feed that will typically show indicator objects, malware objects and relationship objects. Relationship objects link a common association between indicator and malware objects. The STIX feed conveys CTI data that can be easily understood. It represents the common language where both entities, client and server, can use STIX for a common method of communication.
The open-source projects of TAXII and STIX are standards that were developed to improve the prevention and mitigation of cyber-attacks. STIX indicates what is cyber threat intelligence data and TAXII is the vehicle for how that information is relayed. TAXII is the main transport mechanism for CTI represented in STIX.
Carbon black Threat Intelligence feeds use the Collection Management TAXII service for querying a list of available feeds. As mentioned, STIX provides CTI data Feeds. Feeds contain CTI data from Collections which is an interface to a database of CTI objects provided by a TAXII Server. It is used by TAXII Clients to send or request information from the TAXII Server. It is common to use the term Feeds when referring to STIX CTI threat data with the understanding that what comprises a CTI Feed is information from a Collection of CTI objects.
Note: Carbon Black Threat Intelligence feeds support TAXII 2.1 specification and STIX 2.1 schema.Available Feeds and Collections
Threat Intelligence TAXII2 service supports three read-only collections:
-
threat-alert - provides indicators of compromise related to previously undocumented actionable intelligence on critical or potentially critical attacks. Approximately one new entry is added to the threat-alert collection each week.
-
malicious-uri - consists of daily new high confidence malicious URI indicators with risk level 8 or above. This feed contains few thousand indicators per day. The malicious-uri feed consists of the malware-uri and phishing-uri feed as a single feed.
-
malicious-file - consists of new malicious file sha256 indicators. This feed contains a few thousand indicators per day.
Requirements
- Any Carbon Black Cloud product
- API key with appropriate permissions from the Carbon Black Cloud console
Authentication
Take a look at Carbon Black Cloud API Access Guide for complete instructions on the generic API calls.All Carbon Black Cloud APIs and Services authenticate via API Keys. To access the Carbon Black Threat Intel TAXII2 APIs, you must set up an API Key using the predefined "Threat Intelligence" Access Level which contains the correct Role-Based Access Control permissions.
Environment
Available on majority of environments. Use the Carbon Black Cloud Console URL as described here. Keep in mind that Threat Intel TAXII2 APIs does not contain org key as part of its URL structure.
API Key
When creating your API Key, use the Access Level Type of "Custom" and select "Threat Intelligence". Details on constructing and passing the API Key in your requests are available here. You can create either one key that will be shared, or one key per user.
Threat Intel TAXII2 APIs
Provides access to Cyber Threat Intelligence (CTI) using TAXII 2.1 which supports STIX 2 format that is based on JSON and supports a richer set of CTI information.
List Collections
Request
GET {cbc-hostname}/api/threat-intel/v1/taxii2/feeds/collectionsResponse
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
GET https://defense.conferdeploy.net/api/threat-intel/v1/taxii2/feeds/collectionsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"collections": [
{
"id": "threat-alert",
"title": "Threat Alert Reports",
"description": "This data collection contains threat alert reports",
"can_read": true,
"can_write": false,
"media_types": [
"application/stix+json;version=2.1"
]
},
{
"id": "malicious-file",
"title": "Malicious Files",
"description": "This data collection contains malicious file sha256s",
"can_read": true,
"can_write": false,
"media_types": [
"application/stix+json;version=2.1"
]
},
{
"id": "malicious-uri",
"title": "Malicious URIs",
"description": "This data collection contains malicious uris",
"can_read": true,
"can_write": false,
"media_types": [
"application/stix+json;version=2.1"
]
}
]
}curl https://defense.conferdeploy.net/api/threat-intel/v1/taxii2/feeds/collections \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"collections": [
{
"id": "threat-alert",
"title": "Threat Alert Reports",
"description": "This data collection contains threat alert reports",
"can_read": true,
"can_write": false,
"media_types": [
"application/stix+json;version=2.1"
]
},
{
"id": "malicious-file",
"title": "Malicious Files",
"description": "This data collection contains malicious file sha256s",
"can_read": true,
"can_write": false,
"media_types": [
"application/stix+json;version=2.1"
]
},
{
"id": "malicious-uri",
"title": "Malicious URIs",
"description": "This data collection contains malicious uris",
"can_read": true,
"can_write": false,
"media_types": [
"application/stix+json;version=2.1"
]
}
]
}Explore Feeds
Request
GET {cbc-hostname}/api/threat-intel/v1/taxii2/feeds/collections/{collection}/objectsQuery Parameters
| Field | Description | Data Type | Values |
|---|---|---|---|
added_after |
Optional: Filter feeds added after this timestamp. If not specified, objects since the last month are returned. | Timestamp | 2024-01-01T00:00:00.0000000Z |
request_id |
Optional: Supply customer information for tracking the requests coming from API or Browser Extension. | String | CB-CI1234 |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
GET https://defense.conferdeploy.net/api/threat-intel/v1/taxii2/feeds/collections/threat-alert/objects?added_after=2024-01-01T00:00:00.0000000ZX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
{
"type": "bundle",
"id": "bundle--ce9eeac2-ff80-4353-832c-e530b8800667",
"next": "2",
"more": true,
"objects": [
{
"pattern": "[file:hashes.'SHA-256' = 'b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9']",
"pattern_type": "stix",
"valid_from": "2024-01-04T11:49:23.568Z",
"confidence": 100,
"spec_version": "2.1",
"type": "indicator",
"id": "indicator--984c51b8-ab01-421f-9f02-7ace7fb8b8b4",
"created": "2024-01-04T11:49:23.568Z",
"modified": "2024-01-04T11:49:23.568Z"
},
{
"name": "Cardinal",
"primary_motivation": "Ransomware",
"threat_actor_types": [
"NA"
],
"aliases": [
"Black Basta"
],
"spec_version": "2.1",
"type": "threat-actor",
"id": "threat-actor--23c1a01e-7fc1-49d6-951e-d8158f9cc61e",
"created": "2024-01-04T11:49:23.568Z",
"modified": "2024-01-04T11:49:23.568Z"
},
{
"name": "Cobalt Strike",
"description": "An off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files. It ostensibly has legitimate uses as a penetration testing tool but is invariably exploited by malicious actors.",
"tool_types": [
"NA"
],
"spec_version": "2.1",
"type": "tool",
"id": "tool--f49fb0e1-d820-4120-98a9-20dfca078c57",
"created": "2024-01-04T11:49:23.568Z",
"modified": "2024-01-04T11:49:23.568Z"
},
{
"name": "GhostDriver Tool Used in Black Basta Attacks",
"description": "Symantec has observed threat actors using a relatively new tool called GhostDriver to disable antivirus software on targeted machines before the deployment of the Black Basta ransomware. GhostDriver leverages the bring your own vulnerable driver (BYOVD) attack technique to bypass security products. The threat actors also utilized Impacket modules to remotely execute commands on compromised machines, and BITSAdmin for lateral deployment of the ransomware.",
"object_refs": [
"indicator--984c51b8-ab01-421f-9f02-7ace7fb8b8b4",
"tool--f49fb0e1-d820-4120-98a9-20dfca078c57",
"threat-actor--23c1a01e-7fc1-49d6-951e-d8158f9cc61e",
],
"report_types": [
"threat-report"
],
"published": "2024-01-04T11:49:23.568Z",
"spec_version": "2.1",
"type": "report",
"id": "report--aab81101-5228-4ba0-9421-a2d590d420b4",
"created": "2024-01-04T11:49:23.568Z",
"modified": "2024-01-04T11:49:23.568Z"
}
]
}curl https://defense.conferdeploy.net/api/threat-intel/v1/taxii2/feeds/collections/threat-alert/objects?added_after=2024-01-01T00:00:00.0000000Z \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"type": "bundle",
"id": "bundle--ce9eeac2-ff80-4353-832c-e530b8800667",
"next": "2",
"more": true,
"objects": [
{
"pattern": "[file:hashes.'SHA-256' = 'b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9']",
"pattern_type": "stix",
"valid_from": "2024-01-04T11:49:23.568Z",
"confidence": 100,
"spec_version": "2.1",
"type": "indicator",
"id": "indicator--984c51b8-ab01-421f-9f02-7ace7fb8b8b4",
"created": "2024-01-04T11:49:23.568Z",
"modified": "2024-01-04T11:49:23.568Z"
},
{
"name": "Cardinal",
"primary_motivation": "Ransomware",
"threat_actor_types": [
"NA"
],
"aliases": [
"Black Basta"
],
"spec_version": "2.1",
"type": "threat-actor",
"id": "threat-actor--23c1a01e-7fc1-49d6-951e-d8158f9cc61e",
"created": "2024-01-04T11:49:23.568Z",
"modified": "2024-01-04T11:49:23.568Z"
},
{
"name": "Cobalt Strike",
"description": "An off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files. It ostensibly has legitimate uses as a penetration testing tool but is invariably exploited by malicious actors.",
"tool_types": [
"NA"
],
"spec_version": "2.1",
"type": "tool",
"id": "tool--f49fb0e1-d820-4120-98a9-20dfca078c57",
"created": "2024-01-04T11:49:23.568Z",
"modified": "2024-01-04T11:49:23.568Z"
},
{
"name": "GhostDriver Tool Used in Black Basta Attacks",
"description": "Symantec has observed threat actors using a relatively new tool called GhostDriver to disable antivirus software on targeted machines before the deployment of the Black Basta ransomware. GhostDriver leverages the bring your own vulnerable driver (BYOVD) attack technique to bypass security products. The threat actors also utilized Impacket modules to remotely execute commands on compromised machines, and BITSAdmin for lateral deployment of the ransomware.",
"object_refs": [
"indicator--984c51b8-ab01-421f-9f02-7ace7fb8b8b4",
"tool--f49fb0e1-d820-4120-98a9-20dfca078c57",
"threat-actor--23c1a01e-7fc1-49d6-951e-d8158f9cc61e",
],
"report_types": [
"threat-report"
],
"published": "2024-01-04T11:49:23.568Z",
"spec_version": "2.1",
"type": "report",
"id": "report--aab81101-5228-4ba0-9421-a2d590d420b4",
"created": "2024-01-04T11:49:23.568Z",
"modified": "2024-01-04T11:49:23.568Z"
}
]
}Fields
List Collections
| Field | Definition | Data Type | Values |
|---|---|---|---|
collections |
List of STIX collections | Array | Supported properties: id, title, description, can_read, can_write, media_types |
Explore Feeds
| Field | Definition | Data Type | Values |
|---|---|---|---|
type |
Result type | String | bundle - collection of arbitrary STIX Objects grouped together in a single container |
id |
Unique id for the bundle | String | N/A |
next |
Used for paging | String | N/A |
more |
Indicates if there are more pages in the collection | Boolean | true, false |
objects |
Collection of STIX 2 objects | Array | STIX Domain Objects |
References
Last modified on June 17, 2025