Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

TAXII 2.1 Integration Guide

cloud integrations taxii threat intelligence byoti

The following instructions are for configuring TAXII 2.1 to ingest threat indicators into Taegis™ XDR to generate alerts via the Bring Your Own Threat Intel Detector.


The Preview release is limited to 10,000 active indicators per tenant. When indicators reach the limit, the oldest indicators are deleted to remain under the limit.

TAXII 2.1 Requirements

A TAXII 2.1 Root URL, Collection ID, Username, and Password are required to integrate with Taegis™ XDR.

Data Provided from Integration

TAXII 2.1 Collections containing the following data types:

Add Integration in Taegis™ XDR

  1. From the XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
  2. Choose Set up TAXII.

Create a New TAXII 2.1 Integration

Create a New TAXII 2.1 Integration

  1. Enter the following fields:

    • Integration Name — Name that this integration will use in Taegis™ XDR
    • Severity — Default severity to use for alerts
    • TAXII 2.1 Root URL
    • TAXII 2.1 Collection ID
    • TAXII 2.1 Username
    • TAXII 2.1 Password
  2. Select Done. The Cloud API Integrations page displays with the successfully added TAXII 2.1 integration.

Once the preceding steps are completed, TAXII 2.1 integration details are available on Cloud APIs. From the XDR left-hand side navigation, select Integrations → Cloud APIs.

Alert Severity

Alerts generated by indicators ingested via TAXII use the severity set on the Taegis™ XDR integration.

Example Query Language Searches

To search for Bring Your Own Threat Intel Alerts from the last 24 hours:

from alert metadata.creator.detector.detector_id='app:detect:byoti' and EARLIEST=-24h


On this page: