TAXII 2.1 Integration Guide
cloud integrations taxii threat intelligence byoti
The following instructions are for configuring TAXII 2.1 to ingest threat indicators into Secureworks® Taegis™ XDR to generate alerts via the Bring Your Own Threat Intel Detector.
Note
There is a limit of 15,000 active indicators per tenant. When indicators reach the limit, the oldest indicators are deleted to remain under the limit.
TAXII 2.1 Requirements ⫘
A TAXII 2.1 Root URL, Collection ID, Username, and Password are required to integrate with XDR.
Data Provided from Integration ⫘
TAXII 2.1 Collections containing the following data types:
- IP Address
- Domain
- URL
- Filehash (SHA1, SHA256, MD5)
Add Integration in XDR ⫘
-
From the Taegis Menu, select Integrations → Cloud APIs.
-
Select Add an Integration from the top of the page.
Add an Integration
-
From the Optimized tab, choose TAXII.
-
Enter the following fields:
- Integration Name — Name that this integration will use in XDR
- Severity — Default severity to use for alerts
- TAXII 2.1 Root URL
- TAXII 2.1 Collection ID
- TAXII 2.1 Username
- TAXII 2.1 Password
Create a New TAXII 2.1 Integration
- Select Done. The Cloud API Integrations page displays with the successfully added TAXII 2.1 integration.
Once the preceding steps are completed, TAXII 2.1 integration details are available on Cloud APIs. From the Taegis Menu, select Integrations → Cloud APIs.
Alert Severity ⫘
Alerts generated by indicators ingested via TAXII use the severity set when configuring the XDR integration.
Example Query Language Searches ⫘
To search for Bring Your Own Threat Intel Alerts from the last 24 hours:
from alert metadata.creator.detector.detector_id='app:detect:byoti' and EARLIEST=-24h
Related Topics ⫘
Viewing API Integration Status and Health ⫘
Delete an Integration ⫘
Bring Your Own Threat Intel Detector ⫘