STIX and TAXII support

Showing results for 
Search instead for 
Did you mean: 

STIX and TAXII support

L2 Linker

Hi all,


Anyone used minemeld with STIX and TAXII?  While we pretty familure with STIX/TAXII - only just booted minemeld for the first time.






This would be very helpful for those of us in the Financial Industry who want to pull in the FS-ISAC feed.

Hi MGBerkowitz,

I will work on it. We already have customers collecting FS-ISAC indicators in Soltra Edge and then using MineMeld to enforce active indicators from Soltra Edge on our NGFW platforms. This way they can conduct manual analysis of indicators on Soltra Edge and use MineMeld to select the active indicators.


I will keep you posted on the progress of this feature.




L2 Linker

Ok so I hacked in certificate support this afternoon.  This is just that - a hack (it's not configureable and uses the same cert for any taxii collection).


Once the changes were made i cloned the existing halitaxii prototype and created one with the relevant URL, user creds and collection name.  Worked first go!


Does anyone have a list of what STIX vocab is supported by minemeld?  It pulled a chunk of data in - but only showed a very small subset of indicators as a result.  Guessing it doesn't understand everything we publish.  Would be great to get a list so we know what is and isnt supported (and possibly suggest some additions) 🙂




def configure(self):
        super(TaxiiClient, self).configure()

        self.discovery_service = self.config.get('discovery_service', None)
        self.username = self.config.get('username', None)
        self.password = self.config.get('password', None)
++        self.key_file = '/opt/certs/browsc-key.pem'
++        self.cert_file = '/opt/certs/browsc-cert.pem'
        self.collection = self.config.get('collection', None)
        self.prefix = self.config.get('prefix',
        self.ca_file = self.config.get('ca_file', None)
        self.confidence_map = self.config.get('confidence_map', {
            'low': 40,
            'medium': 60,
            'high': 80

    def _build_taxii_client(self):
        result = libtaxii.clients.HttpClient()

        up = urlparse.urlparse(self.discovery_service)

        if up.scheme == 'https':

        if self.username and self.password:
++            result.set_auth_type(libtaxii.clients.HttpClient.AUTH_CERT_BASIC)
--            result.set_auth_type(libtaxii.clients.HttpClient.AUTH_BASIC)
                'username': self.username,
++                'password': self.password,
--                'password': self.password
++                'key_file': self.key_file,
++                'cert_file': self.cert_file

        if self.ca_file is not None:

        return result

Hi ScottyAU,

that's great ! thanks for testing this. I will include something  similar in the next release.

Currently the TAXII Miner supports indicators with observables of type DomainNameObjectType, AddressObjectType, URIObjectType. It can easily be extened to support additional types.

What type of indicators are you receiving via TAXII ?




L2 Linker

Hi Luigi,


This is STIX packages that we (CERT Australia) produce currently and push out to partners.  We're looking at minemeld in the event we have any partner companies that want to use it to talk to us.


The STIX elements we use are:


* Package

* Indicator

* CourseOfAction


* KillChain / KillChainPhase


Our Indicators typically contain one or more Cybox Observables each of which describes a Cybox Object. Our STIX packages will potentially include the following Cybox Object types:


* Address

* DomainName

* EmailAddress

* EmailMessage

* File

* HTTPSession

* SocketAddress


* WinRegistryKey





Hi Scotty,

I could easily add support for the those additional indicator types, if you could send me an email we can talk about the detailed requirements. My email is




L2 Linker

Will do!

For the posterity: client certificates are supported in TAXII miner since MM version 0.9.12

Hey Luigi,


Is there anyway for the inital poll to be for a longer historic period?


It just does an hour prior to current time.


So the last year or two of data is not pulled in - becuse the begin and end timestamp is only the previous hour to when the job was run.




Not yet, but it is a while I wanted to expose it to the config. 

ER minemeld-core #18 has been created to track this, it should make into the next minor release.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!