ThreatBolt™ TAXII 2.1 Integration
CyberXTron's ThreatBolt™ TAXII 2.1 server enables external TAXII clients to securely retrieve high-fidelity threat intelligence data from the CyberXTron platform, including Indicators of Compromise (IOCs).
By configuring the ThreatBolt TAXII 2.1 endpoint and setting up the required TAXII user credentials, MSSPs, SOCs, and enterprise customers can automate threat feed ingestion directly into their existing SIEM, TIP, or SOAR solutions.
Before You Start
User Roles
To access the ThreatBolt TAXII REST API and retrieve data, a dedicated TAXII user account is required.
- The user must have the role of Threat Intelligence Standard User
The CyberXTron team will provision and enable user access. Contact support@cyberxtron.com to request a TAXII user account.
Prerequisites
Before establishing TAXII integration, ensure the following:
- A valid TAXII user account has been created within CyberXTron's ThreatBolt platform
- The corresponding collections (e.g., IOCs) are enabled for TAXII access
- The client system supports TAXII 2.1 protocol and HTTPS connections
Authentication
ThreatBolt TAXII 2.1 uses Basic Authentication to validate TAXII client requests.
CyberXTron team will share credentials (username and password) separately. Do not attempt to create credentials yourself.
Connection Details
| Parameter | Value |
|---|---|
| API Root URL | https://taxii.cyberxtron.com/taxii2 |
| Protocol | TAXII 2.1 over HTTPS |
| Authentication | Basic Auth |
| Username | Shared separately |
| Password | Shared separately |
| Polling Frequency | Daily (recommended) |
Collections
The following IOC collections are available on the ThreatBolt TAXII 2.1 server:
| Collection Name | Collection ID |
|---|---|
| Xtron Malicious-IP | a01909b0-532f-4193-8dfd-e6d0a7750659 |
| Xtron Malicious-DOMAIN | ba6f3eda-66be-4b0b-a6d1-2383203658cc |
| Xtron Malicious-URL | f8eed9fa-8495-4a58-bf71-e7ad9a4d3d6e |
| Xtron Malicious-HASH | 311c5c54-e6b4-4328-a17a-de84e68be12f |
Available Endpoints
| Endpoint | Method | Description |
|---|---|---|
/taxii | GET | Retrieve information about the ThreatBolt TAXII 2.1 server |
/taxii2 | GET | Retrieve TAXII 2.1 server info and available API roots - [Dicovery URL] |
/taxii2/collections | GET | Retrieve information about all available collections |
/taxii2/collections/{collectionId} | GET | Retrieve information about a specific collection |
/taxii2/collections/{collectionId}/objects | GET | Retrieve all objects from a specific collection |
Example Requests
Discover the TAXII Server
curl -u "YOUR_USERNAME:YOUR_PASSWORD" \
-H "Accept: application/taxii+json;version=2.1" \
https://taxii.cyberxtron.com/taxii2
List All Collections
curl -u "YOUR_USERNAME:YOUR_PASSWORD" \
-H "Accept: application/taxii+json;version=2.1" \
https://taxii.cyberxtron.com/taxii2/collections
Get Objects from a Collection
# Example: Retrieve all Malicious IPs
curl -u "YOUR_USERNAME:YOUR_PASSWORD" \
-H "Accept: application/taxii+json;version=2.1" \
https://taxii.cyberxtron.com/taxii2/collections/a01909b0-532f-4193-8dfd-e6d0a7750659/objects
Get Objects Added After a Specific Date
curl -u "YOUR_USERNAME:YOUR_PASSWORD" \
-H "Accept: application/taxii+json;version=2.1" \
"https://taxii.cyberxtron.com/taxii2/collections/a01909b0-532f-4193-8dfd-e6d0a7750659/objects?added_after=2026-01-01T00:00:00Z"
SIEM Integration Examples
Splunk (Threat Intelligence Management)
- In Splunk, go to Enterprise Security → Intelligence Management → Sources
- Click Add Source → TAXII Feed
- Fill in:
- URL:
https://taxii.cyberxtron.com/taxii2 - Collection: Select the desired collection ID
- Authentication: Basic
- Username / Password: Your TAXII credentials
- URL:
- Set polling schedule to Daily
- Save and verify ingestion
Microsoft Sentinel (Threat Intelligence)
- Go to Sentinel → Threat Intelligence → TAXII
- Add a new TAXII data connector
- Configure:
- API Root URL:
https://taxii.cyberxtron.com/taxii2 - Collection ID: Paste the collection ID from the table above
- Username / Password: Your credentials
- API Root URL:
- Set polling frequency to Once a day
OpenCTI
# config.yml connector entry
- id: CyberXtron-ThreatBolt
type: TAXII2
name: CyberXTron ThreatBolt
taxii_server_url: https://taxii.cyberxtron.com/taxii2
taxii_collection_id: a01909b0-532f-4193-8dfd-e6d0a7750659
username: YOUR_USERNAME
password: YOUR_PASSWORD
interval: 86400 # 24 hours in seconds
MISP
- Go to Feeds → Add Feed
- Set Input Source to
TAXII 2.1 Collection - Enter the API root URL and collection ID
- Enable Basic Authentication with your credentials
- Set caching frequency to
1 day
Notes
- All objects are returned in STIX 2.1 format
- Responses are paginated; use
nextcursor for large collections - The
added_afterquery parameter can be used to fetch only new indicators since the last poll — use this to avoid re-processing the entire collection on every poll - TLS 1.2 or higher is required for all connections
Keep your TAXII credentials secure. Rotate them immediately if you suspect they have been compromised — contact support@cyberxtron.com.