taxii-add-observed-ip
Wraps the ip field value of each record passed through the pipeline as an IPv4Address STIX Cyber Observable and adds it as an ObservedData object to the specified TAXII 2.x collection. Use this command to publish observed IP addresses to a TAXII server.
Command properties
| Property | Description |
|---|---|
| Command type | Transforming |
| Required permission | User permission |
| License usage | Not counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
profile=profile_name- Name of the TAXII connect profile to use.
apiroot=api_root_name- Name of the TAXII API root to add the object to. Required.
id=collection_id- Collection ID (GUID format) to add the object to. Required.
Input fields
| Field | Type | Required | Description |
|---|---|---|---|
| ip | string or IP address | Required | IP address to add to the TAXII collection |
| _time | timestamp | Optional | Observation time. Uses the current time if omitted. |
Output fields
Passes through the input record as-is. If an error occurs, an _error field is appended.
| Field | Type | Description |
|---|---|---|
| _error | string | Error message if an error occurs |
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
| 201800 | No available TAXII profile found. | No available TAXII profile exists |
| 201801 | Specify valid TAXII profile. | The specified TAXII profile name is invalid |
| 201802 | Specify apiroot option | The apiroot option was not specified |
| 201803 | Specify id option | The id option was not specified |
| 201804 | check GUID format of TAXII id option | The id option is not in GUID format |
Description
For each record passed through the pipeline, the command wraps the ip field value as an IPv4Address STIX Cyber Observable, creates an ObservedData object, and adds it to the specified TAXII collection. If the _time field is present, it is used as the observation time (first_observed, last_observed); otherwise, the current time is used.
If the ip field is not a valid IP address or the TAXII server request fails, the error message is recorded in the _error field and the record is passed through as-is.
Examples
-
Add observed IP addresses to a TAXII collection
table sonar_event_00001 | fields _time, src_ip | rename src_ip as ip | taxii-add-observed-ip profile="my-taxii" apiroot="taxii" id="12345678-1234-1234-1234-123456789abc"Retrieves source IPs from the event table and adds them as observed IP objects to the TAXII collection.