Learn more about STIX and TAXII and how they enhance intelligence sharing


STIX is a language for having a standardized language for the representation of cyberthreat information. Similar to TAXII (see below), it is not a sharing program or tool, but rather a component that supports programs or tools.

One of the things that sometimes causes confusion with STIX constructs is whether to use incident or indicator. If you are aiming to provide a history for further analysis or follow-up, you have to use an incident construct. If you want to build a list of items to look for, use an indicator construct.

The eight indicator constructs include:

  • Observable (activity)
  • Indicator (what to watch)
  • Incident (where)
  • TTP
  • Exploit Target
  • Campaign (why)
  • Threat actor – (who)
  • Course of action

Find STIX information here and TAXII information here.

TAXII defines a set of services and message exchanges that enable sharing of actionable threat information across organizationals, products, and services. TAXII is not an information sharing program and does not define trust agreements. Rather, it is a set of specifications for exchanging cyberthreat information to help organizations share information with their partners.

TAXII has the following three sharing models:

  • Hub and Spoke: One central clearinghouse
  • Source/Subscriber: One organization is the single source of information
  • Peer-to-Peer: Multiple organizations share their information

How ThreatConnect
supports STIX-TAXII

Using our TAXII server, all ThreatConnect customers can collect and send STIX-formatted threat intelligence while also connecting compatible TAXII clients directly to indicator watchlists in ThreatConnect. Our TAXII server serves up ThreatConnect-exclusive metrics like observations, false positives, and ThreatAssess scores that can’t be found anywhere else. It enables information to be digested even faster, maximizing the time to identify and mitigate threats. ThreatConnect’s powerful combination of STIX and its API for machine-sharing for human analysis creates a complete solution for all businesses and communities whether ISACs (Information Sharing and Analysis Centers), ISAOs (Information Sharing and Analysis Organizations), or a community formed by a single enterprise with its partners.