Home

STIXTAXII

STIXTAXII, often written STIX-TAXII, refers to the integrated use of the Structured Threat Information Expression (STIX) language with the Trusted Automated eXchange of Indicator Information (TAXII) protocol to automate the exchange of cyber threat intelligence (CTI). STIX provides a formal data model for describing indicators, threat actors, campaigns, intrusion sets, techniques and procedures, incidents, and related actions, while TAXII defines the RESTful services and messaging patterns used to distribute and retrieve CTI over HTTP.

In practice, the combination enables organizations to share machine-readable threat information at scale. STIX 2.x is

Common implementations and ecosystems include open and commercial platforms and libraries that support STIX-TAXII, such as

commonly
used
and
encoded
in
JSON,
focusing
on
a
simplified,
extensible
data
model
for
CTI,
whereas
TAXII
2.x
provides
a
modern
REST
API
with
endpoints
for
discovery,
collections,
and
object
retrieval.
Older
generations
included
STIX
1.x
with
TAXII
1.x.
The
STIX-TAXII
stack
supports
various
exchange
patterns,
such
as
publishing
to
or
pulling
from
collections,
and
can
support
filters,
versioning,
and
access
controls
to
manage
what
data
is
shared.
CTI
sharing
platforms,
security
information
and
event
management
(SIEM)
integrations,
and
threat
intelligence
platforms.
Open-source
tools
provide
TAXII
servers
and
STIX
validation,
while
client
libraries
enable
programmatic
access
to
CTI
feeds.
The
STIX-TAXII
framework
is
governed
by
OASIS
standards
bodies
for
both
STIX
and
TAXII,
and
it
remains
a
central
mechanism
for
automating
threat
data
distribution
across
organizations
and
communities.