> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/enrichment/stix-taxii.md).

# STIX/TAXII (Beta)

## Overview

{% hint style="info" %}
STIX/TAXII enrichment is in beta. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

[STIX](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html) (Structured Threat Information Expression) and [TAXII](https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html) (Trusted Automated Exchange of Intelligence Information) are open standards for sharing threat intelligence. Panther's STIX/TAXII enrichment connects to any TAXII 2.1 server you have access to (commercial, open-source, or self-hosted) and pulls STIX Indicator objects from the collections you choose. The Panther-managed STIX/TAXII enrichment matches these indicators of compromise (IoCs) against log events ingested into Panther for high-fidelity alerts.

Unlike Panther's other enrichment sources, which typically require only an API key, STIX/TAXII requires you to connect Panther to a TAXII server you have access to: provide a discovery URL and credentials, and Panther walks the server's API roots to enumerate available collections for you to choose from.

## How STIX/TAXII enrichment works in Panther

By default, STIX/TAXII enrichment is configured to run against every log type in your Panther environment ([yet is possible to disable for a log type, if desired](#enabling-disabling-or-modifying-stix-taxii-enrichment-for-a-log-type)). Panther will attempt to match each incoming log event, across all log types, against the Panther-managed STIX/TAXII enrichment before it passes through the detection engine.

If Panther [identifies a match](#how-a-match-between-a-log-event-and-stix-taxii-is-made) between an incoming event and a STIX/TAXII entry, STIX/TAXII data is appended to the matching log event under a top-level `p_enrichment` key. It can then be referenced in detection logic and searches.

Panther polls each selected collection on your TAXII server once per hour by default. Each poll fetches only the indicators added to the collection since the last successful poll (tracked per-collection using the TAXII server's `X-TAXII-Date-Added-Last` cursor), so previously pulled indicators aren't re-fetched. Indicators are retained in the enrichment table until their `valid_until` date passes or they age past the configured **Max age (Days)** setting, at which point they're automatically filtered out.

For more information on detection writing using an enrichment source, see [Writing a detection using custom enrichment data](/enrichment/custom.md#writing-a-detection-using-custom-enrichment-data).

### How a match between a log event and STIX/TAXII is made

A log event is enriched with Panther-managed STIX/TAXII enrichment data (under `p_enrichment`) if a match is found between:

* Any of the values of the Selector field(s) configured for each associated log type.
  * For each log type, the default Selectors are the [Indicator Fields](/search/panther-fields.md#indicator-fields) (represented by `p_any_*`) associated with the enrichment table's primary key's indicator field designations (though the Selectors are configurable). [Learn more about this auto-mapping here](/enrichment/custom.md#option-2-let-log-types-and-selectors-be-automatically-mapped).
* The value of the `value` key in a STIX/TAXII table entry in Panther.
  * `value` is the primary key of the STIX/TAXII table and contains the indicator value (IP address, domain, URL, file hash, email address, or MAC address, extracted from the STIX indicator's `pattern`).
  * See an example of `value` in the [Example STIX/TAXII enrichment table entry](#example-stix-taxii-enrichment-table-entry) below.

## Setting up STIX/TAXII enrichment

### Step 1: Gather your TAXII server details

Before configuring STIX/TAXII enrichment in Panther, gather the following from your TAXII server (or its administrator):

* The **discovery URL**, which must end with `/taxii2/` (per the TAXII 2.1 specification).
* Credentials for one of the two supported authentication methods:
  * **Bearer Token** — a single API token.
  * **Basic Auth** — a username (optional, depending on your server) and password.

{% hint style="warning" %}
You'll also need to allow Panther's egress IP address on your TAXII server. This IP is displayed during setup (see Step 2 below).
{% endhint %}

### Step 2: Create the STIX/TAXII enrichment in Panther

To configure STIX/TAXII enrichment in Panther:

1. In the left-hand navigation bar of your Panther Console, click **Enrichments**.
2. In the upper-right corner, click **Create New**.
3. Click **STIX/TAXII**.

   ![The "What type of enrichment would you like to setup" screen shows Custom Enrichment options followed by a grid of Supported Enrichments, including Anomali, Open Threat Exchange, GreyNoise, Google Threat Intelligence, VirusTotal, and STIX/TAXII (circled), Snowflake Audit, Google Workspace, and Okta.](/files/MhGXTBtQrE1NaZBmn16T)
4. On the **Enrichment Settings** step, provide values for the following fields:

   * **Name**: Enter a descriptive name for your integration.
   * **TAXII Discovery URL**: Enter your server's discovery URL (must end with `/taxii2/`).
   * **Authentication Method**: Choose **Bearer Token** or **Basic Auth**.
     * If **Bearer Token**, enter your **API Token**.
     * If **Basic Auth**, enter your **Username** (optional) and **Password**.
   * **Max age (Days)**: Configure the maximum age, in days, for indicators to be retained in the enrichment table. Indicators older than this cutoff (based on their `valid_from` date) are not pulled, and previously pulled indicators older than this cutoff are automatically filtered out during each refresh.
   * Note the displayed **egress IP** and confirm it's allowed on your TAXII server.

   ![The Enrichment Settings step shows fields for Name, TAXII Discovery URL, Authentication Method (Bearer Token or Basic Auth), API Token, and Indicator TTL (Max age in Days), along with a notice displaying Panther's egress IP.](/files/0oJq5EYpsWtyxZQjXRQp)
5. Click **Continue**. Panther will attempt to connect to your discovery URL with the provided credentials.
   * If the connection fails, an error banner is displayed and you can adjust your settings and retry.
6. On the **Select Collections** step, choose which of the discovered collections to ingest indicators from.

   * Use the filter box to narrow down the list by collection name or description.
   * Select individual collections, or use the header checkbox to select all currently filtered collections.
   * You can select up to 50 collections. If you exceed this limit, an inline warning is shown and you won't be able to continue until you deselect some collections.

   ![The Select Collections step shows an Enrichment Info sidebar with the previously entered settings, and a Select Collections panel with a filter box and a table of discovered collections, each with a checkbox, Collection Name, and Description.](/files/StEd9vlqn08Yw668wvNz)
7. Click **Continue**.
8. On the **Verification** step, confirm the integration was created successfully, then click **View Enrichments**.
   * Your new STIX/TAXII configuration will be visible in the **Enrichments** page.

{% hint style="info" %}
After adding a STIX/TAXII enrichment, there may be a delay (a few minutes) before incoming log data begins to be enriched. This allows time for the initial data synchronization to complete.
{% endhint %}

### Managing collections after setup

You can view or change which collections a STIX/TAXII enrichment ingests from at any time:

1. In the left-hand navigation bar of your Panther Console, click **Enrichments**.
2. Click the name of the STIX/TAXII enrichment you'd like to manage.
3. Click on the **Collections** tab to view the collections currently enabled for this integration.

   ![The Collections tab of a STIX/TAXII enrichment shows a table of enabled collections, each with a Collection Name and Description, and an Edit Collections button in the upper-right.](/files/1McD3rSfYAWFmmepDPUE)
4. Click **Edit Collections** to return to the **Select Collections** step of the wizard and change your selection.

{% hint style="info" %}
Editing an existing STIX/TAXII enrichment never requires you to re-enter your credentials — leave the token/password field blank to keep the currently stored value.
{% endhint %}

## Enabling, disabling, or modifying STIX/TAXII enrichment for a log type

STIX/TAXII enrichment is enabled by default for each log type in your Panther instance.

If you'd like to disable (or later enable) STIX/TAXII enrichment for a certain log type, or alter a log type's selectors:

1. In the left-hand navigation bar in your Panther Console, click **Enrichments**.
2. In the list of Enrichments, locate the STIX/TAXII source you'd like to modify, and click its name.
3. Click on the **Enriched Log Types** tab.
4. On the right-hand side, click **Edit Log Types**.
   * If you'd like to enable this enrichment for a new log type, click **Add Log Type**.
     * In the new row that populates, select a **Log Type** and, in the **Selectors** field, at least one event field.
   * If you'd like to disable this enrichment for a log type, locate that log type's row, and click the trash icon.
     * If you don't see a log type listed, click on the drop-down arrow next to **Auto-mapped Log Types**. Locate the log type's row and click the edit icon.
   * If you'd like to alter the selectors for a log type, click into the **Selectors** field and add or remove selections for event fields.
5. In the upper-right corner, click **Save**.

## Example STIX/TAXII enrichment table entry

The below is an example of a STIX Indicator object pulled by Panther over TAXII. Each indicator from a selected collection creates its own row, with the indicator value stored in the `value` field.

```json
{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--b3eb5e07-2f0e-4e04-9d21-38f4a2d0d20e",
  "created": "2025-03-10T14:00:00.000Z",
  "modified": "2025-03-10T14:00:00.000Z",
  "name": "Malicious IP associated with C2 activity",
  "indicator_types": ["malicious-activity"],
  "pattern": "[ipv4-addr:value = '198.51.100.42']",
  "pattern_type": "stix",
  "valid_from": "2025-03-10T14:00:00.000Z",
  "valid_until": "2025-09-10T14:00:00.000Z",
  "labels": ["c2", "malware"],
  "confidence": 85,
  "value": "198.51.100.42",
  "ioc_type": "ip_address",
  "p_event_time": "2025-03-10T14:00:00.000Z",
  "p_log_type": "STIX.Indicator",
  "p_parse_time": "2025-03-10T15:00:00.000Z",
  "p_row_id": "abc123def456ghi789",
  "p_schema_version": 0
}
```

### `STIX.Indicator` schema

The following is the Panther-managed `STIX.Indicator` schema, representing how STIX Indicator objects pulled over TAXII are stored in Panther. Each indicator becomes its own row.

```yaml
schema: STIX.Indicator
description: STIX 2.1 Indicator objects with the IoC value and type extracted from the pattern property.
referenceURL: https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_muftrcpnf89v
fields:
  - name: type
    required: true
    description: The type of this object, MUST be 'indicator'.
    type: string
  - name: spec_version
    required: true
    description: The version of the STIX specification used to represent this object.
    type: string
  - name: id
    required: true
    description: The unique identifier for this Indicator.
    type: string
  - name: created_by_ref
    description: The id of the Identity object that created this Indicator.
    type: string
  - name: created
    required: true
    description: The time at which this Indicator was originally created.
    type: timestamp
    timeFormats:
      - rfc3339
  - name: modified
    required: true
    description: The time that this particular version of the Indicator was last modified.
    type: timestamp
    timeFormats:
      - rfc3339
  - name: revoked
    description: Whether this Indicator has been revoked.
    type: boolean
  - name: labels
    description: A set of terms used to describe this Indicator.
    type: array
    element:
      type: string
  - name: confidence
    description: The confidence that the creator has in the correctness of their data (0-100).
    type: bigint
  - name: lang
    description: The language of the text content in this object.
    type: string
  - name: external_references
    description: A list of external references which refer to non-STIX information.
    type: array
    element:
      type: object
      fields:
        - name: source_name
          description: The name of the source that the external-reference is defined within.
          type: string
        - name: description
          description: A human-readable description of the external reference.
          type: string
        - name: url
          description: A URL reference to an external resource.
          type: string
          indicators:
            - url
        - name: hashes
          description: Hashes for the contents of the url, as a dictionary of hash-algorithm to value.
          type: json
        - name: external_id
          description: An identifier for the external reference content.
          type: string
  - name: object_marking_refs
    description: The list of marking-definition objects that apply to this Indicator.
    type: array
    element:
      type: string
  - name: granular_markings
    description: The set of granular markings that apply to this Indicator.
    type: json
  - name: extensions
    description: A dictionary of extension-specific properties, keyed by extension identifier (the STIX 2.1 mechanism for vendor-specific data).
    type: json
  - name: name
    description: A name used to identify this Indicator.
    type: string
  - name: description
    description: A description that provides more details and context about this Indicator.
    type: string
  - name: indicator_types
    description: A set of categorizations for this Indicator (e.g. malicious-activity).
    type: array
    element:
      type: string
  - name: pattern
    required: true
    description: The detection pattern for this Indicator.
    type: string
  - name: pattern_type
    required: true
    description: The pattern language used in the pattern property (e.g. stix, yara).
    type: string
  - name: pattern_version
    description: The version of the pattern language used in the pattern property.
    type: string
  - name: valid_from
    required: true
    description: The time from which this Indicator is considered a valid indicator of the behaviors it is related to.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: valid_until
    description: The time at which this Indicator should no longer be considered a valid indicator.
    type: timestamp
    timeFormats:
      - rfc3339
  - name: kill_chain_phases
    description: The kill chain phases for which this Indicator corresponds.
    type: array
    element:
      type: object
      fields:
        - name: kill_chain_name
          description: The name of the kill chain.
          type: string
        - name: phase_name
          description: The name of the phase in the kill chain.
          type: string
  - name: value
    description: The IoC value extracted from the pattern; the enrichment key.
    type: string
    indicators:
      - ip
      - domain
      - url
      - md5
      - sha1
      - sha256
      - email
      - mac
  - name: ioc_type
    description: 'The IoC type extracted from the pattern (one of: ip_address, domain_name, url, file, email, mac_address).'
    type: string
```

{% hint style="info" %}
Only STIX Indicator objects (`type: indicator`) using the STIX pattern language (`pattern_type: stix`) are ingested. Other STIX object types (e.g. `identity`, `malware`, `attack-pattern`) and non-STIX pattern languages (e.g. `yara`, `pcre`, `sigma`) are skipped. Only patterns Panther can extract a single IoC value from (IP address, domain, URL, file hash, email address, or MAC address) are supported; indicators with more complex or unsupported patterns are also skipped.
{% endhint %}

## Example of using STIX/TAXII data in detections

STIX/TAXII enrichment data can be used in detection logic to identify known threats. The following example checks whether an event matched a STIX/TAXII indicator and surfaces its confidence and labels:

```python
def rule(event):
    enrichment = event.get('p_enrichment', {})
    stix_data = enrichment.get('STIX.Indicator', {})

    if not stix_data:
        return False

    return stix_data.get('confidence', 0) >= 75


def title(event):
    stix_data = event.deep_get('p_enrichment', 'STIX.Indicator', default={})
    return f"Match against STIX/TAXII indicator: {stix_data.get('name', stix_data.get('value'))}"
```

## Troubleshooting STIX/TAXII enrichment

### Common issues

* **Connection fails during setup**: Confirm your discovery URL ends with `/taxii2/`, your credentials are correct, and Panther's egress IP is allowed on your TAXII server.
* **No data being pulled**: Make sure at least one collection is selected on the **Select Collections** step, and that the selected collections actually contain STIX Indicator objects with a supported pattern (see the hint above). Also check your **Max age (Days)** setting — indicators with a `valid_from` older than this cutoff are filtered out on ingest.
* **Some collections missing data intermittently**: A collection that fails to be reached during a given poll is skipped for that cycle and retried on the next poll; other, healthy collections are unaffected. If a collection's health check consistently fails, it's flagged unhealthy on the enrichment's details page.
* **Data freshness**: STIX/TAXII collections are polled once per hour. Check your **Max age (Days)** setting to ensure it's appropriate for your use case.

For additional troubleshooting, visit the Panther Knowledge Base to [view articles about enrichment](https://help.panther.com/Enrichment) that answer frequently asked questions and help you resolve common errors and issues.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.panther.com/enrichment/stix-taxii.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
