TAXII 2.1 Integration Guide
cloud integrations taxii threat intelligence byoti
The following instructions are for configuring TAXII 2.1 to ingest threat indicators into Secureworks® Taegis™ XDR to generate alerts via the Bring Your Own Threat Intel Detector.
Note
The Preview release is limited to 10,000 active indicators per tenant. When indicators reach the limit, the oldest indicators are deleted to remain under the limit.
TAXII 2.1 Requirements ⫘
A TAXII 2.1 Root URL, Collection ID, Username, and Password are required to integrate with XDR.
Data Provided from Integration ⫘
TAXII 2.1 Collections containing the following data types:
- IP Address
- Domain
- URL
- Filehash (SHA1, SHA256, MD5)
Add Integration in XDR ⫘
- From the XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
- Choose Set up TAXII.
Create a New TAXII 2.1 Integration
-
Enter the following fields:
- Integration Name — Name that this integration will use in XDR
- Severity — Default severity to use for alerts
- TAXII 2.1 Root URL
- TAXII 2.1 Collection ID
- TAXII 2.1 Username
- TAXII 2.1 Password
-
Select Done. The Cloud API Integrations page displays with the successfully added TAXII 2.1 integration.
Once the preceding steps are completed, TAXII 2.1 integration details are available on Cloud APIs. From the XDR left-hand side navigation, select Integrations → Cloud APIs.
Alert Severity ⫘
Alerts generated by indicators ingested via TAXII use the severity set on the XDR integration.
Example Query Language Searches ⫘
To search for Bring Your Own Threat Intel Alerts from the last 24 hours:
from alert metadata.creator.detector.detector_id='app:detect:byoti' and EARLIEST=-24h
Related Topics ⫘
Viewing API Integration Status and Health ⫘
Delete an Integration ⫘
Bring Your Own Threat Intel Detector ⫘