🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

TAXII 2.1 Integration Guide

cloud integrations taxii threat intelligence byoti


The following instructions are for configuring TAXII 2.1 to ingest threat indicators into Secureworks® Taegis™ XDR to generate alerts via the Bring Your Own Threat Intel Detector.

Note

There is a limit of 15,000 active indicators per tenant. When indicators reach the limit, the oldest indicators are deleted to remain under the limit.

TAXII 2.1 Requirements

A TAXII 2.1 Root URL, Collection ID, Username, and Password are required to integrate with XDR.

Data Provided from Integration

TAXII 2.1 Collections containing the following data types:

Add Integration in XDR

  1. From the Taegis Menu, select Integrations → Cloud APIs.

  2. Select Add an Integration from the top of the page.

Add an Integration

Add an Integration

  1. From the Optimized tab, choose TAXII.

  2. Enter the following fields:

    • Integration Name — Name that this integration will use in XDR
    • Severity — Default severity to use for alerts
    • TAXII 2.1 Root URL
    • TAXII 2.1 Collection ID
    • TAXII 2.1 Username
    • TAXII 2.1 Password

Create a New TAXII 2.1 Integration

Create a New TAXII 2.1 Integration

  1. Select Done. The Cloud API Integrations page displays with the successfully added TAXII 2.1 integration.

    Once the preceding steps are completed, TAXII 2.1 integration details are available on Cloud APIs. From the Taegis Menu, select Integrations → Cloud APIs.

Alert Severity

Alerts generated by indicators ingested via TAXII use the severity set when configuring the XDR integration.

Example Query Language Searches

To search for Bring Your Own Threat Intel Alerts from the last 24 hours:

from alert metadata.creator.detector.detector_id='app:detect:byoti' and EARLIEST=-24h

 

On this page: