System Servicestaxiistixthreat-intelligenceservercybersecurity

OpenTAXII

OpenTAXII is a robust Python implementation of TAXII Services from EclecticIQ, providing a feature-rich server with a pythonic API. It is compatible with Cabby, the TAXII client library.

Description

OpenTAXII serves as a TAXII (Trusted Automated eXchange of Indicator Information) server implementation designed for sharing cyber threat intelligence. Developed by EclecticIQ, it offers a comprehensive feature set including API root and collection management, user account handling, and content synchronization capabilities. The tool is built on well-designed Python applications, ensuring compatibility with standard TAXII clients like Cabby.

Use cases include setting up private or public TAXII 2.0 servers for distributing STIX-formatted threat intelligence within organizations or across trusted communities. Administrators can create API roots, collections with read/write permissions, manage user accounts with admin privileges, and perform data cleanup operations. The package also includes documentation for common usage.

Key components include CLI utilities for adding API roots and collections, account creation and updates, content block deletion, and data synchronization from YAML configurations, making it suitable for automated threat feed management in security operations centers.

How It Works

OpenTAXII operates as a Flask-based web application implementing TAXII 2.0 protocols for serving STIX 2 content through API roots and collections. It uses SQLAlchemy for database persistence, libtaxii for TAXII message handling, and structlog for logging. Authentication is managed via a custom Auth API, supporting username/password accounts with admin roles. Content blocks are timestamp-labeled for time-windowed deletions, and public read/write access can be enabled on collections. Synchronization from YAML configs populates services, collections, and accounts, with optional force-deletion of undefined collections.

Installation

bash

sudo apt install opentaxii

Flags

-t, --title TITLETitle of the api root or collection

-d, --description DESCRIPTIONDescription of the api root or collection (default: None)

--defaultSet as default api root (default: False)

-r, --rootid ROOTIDApi root id of the collection

-a, --alias ALIASalias of the collection (default: None)

--publicallow public read access (default: False)

--public-writeallow public write access (default: False)

-u, --username USERNAMEUsername for account creation or update

-p, --password PASSWORDPassword for account creation

-a, --admingrant admin access (default: False)

-c, --collection COLLECTIONCollection to remove content blocks from

-m, --with-messagesdelete inbox messages associated with deleted content blocks (default: False)

--begin BEGINexclusive beginning of time window as ISO8601 formatted date

--end ENDinclusive ending of time window as ISO8601 formatted date (default: None)

-f, --force-deleteforce deletion of collections and their content blocks if collection is not defined in configuration file (default: False)

-f, --field {password,admin}Field to update for account

-v, --value VALUEValue for the field being updated

Examples

Show help for adding a new TAXII2 ApiRoot object

opentaxii-add-api-root -h

Show help for adding a new TAXII2 Collection object

opentaxii-add-collection -h

Show help for creating an account via OpenTAXII Auth API

opentaxii-create-account -h

Show help for deleting content blocks from collections within a time window

opentaxii-delete-blocks -h

Run job cleanup (example shows 'No job to remove')

opentaxii-job-cleanup -h

Run the development server (shows Flask app serving with debug mode on)

opentaxii-run-dev -h

Show help for syncing services/collections/accounts from YAML config

opentaxii-sync-data -h

Show help for updating an account via OpenTAXII Auth API

opentaxii-update-account -h

Updated 2026-04-16kali.org ↗