taxii-objects
Retrieves STIX (Structured Threat Information eXpression) domain objects from a specific collection on a TAXII 2.x server. Use this command to fetch threat intelligence data.
Command properties
| Property | Description |
|---|---|
| Command type | Driver query |
| Required permission | User permission |
| License usage | Not counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
taxii-objects profile=profile_name apiroot=api_root_name id=collection_id
Options
profile=profile_name- Name of the TAXII connect profile to use. You can specify multiple profiles separated by commas.
apiroot=api_root_name- Name of the TAXII API root from which to retrieve objects. Required.
id=collection_id- Collection ID (GUID format) from which to retrieve objects. Required.
Output fields
| Field | Type | Description |
|---|---|---|
| profile | string | Connect profile name |
| index | string | Index of the cyber observable object within an ObservedData object |
| type | string | STIX object type |
| id | string | STIX object ID |
| created | timestamp | Object creation time |
| modified | timestamp | Object last modified time |
| revoked | boolean | Whether the object is revoked |
| labels | array | List of labels assigned to the object |
| first_observed | timestamp | First observation time (for ObservedData type) |
| last_observed | timestamp | Last observation time (for ObservedData type) |
| objects | array | List of cyber observable objects (for ObservedData type) |
| value | string | Object value (e.g., IP address) |
| _error | string | Error message if an error occurs |
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
| 201800 | No available TAXII profile found. | No available TAXII profile exists |
| 201801 | Specify valid TAXII profile. | The specified TAXII profile name is invalid |
| 201802 | Specify apiroot option | The apiroot option was not specified |
| 201803 | Specify id option | The id option was not specified |
| 201804 | check GUID format of TAXII id option | The id option is not in GUID format |
Description
Retrieves STIX domain objects from a specific collection on the TAXII server. Fetches a maximum of 10,000 objects. ObservedData-type objects are output as a structure that includes a list of cyber observable objects; other types output the STIX object's fields directly. You can find the collection ID using the taxii-collections command.
Examples
-
Retrieve STIX objects from a collection
taxii-objects profile="my-taxii" apiroot="taxii" id="12345678-1234-1234-1234-123456789abc"Retrieves the list of STIX objects from the specified collection using the
my-taxiiconnect profile.