Discovery (no auth required for this endpoint)
TAXII
TAXII 2.1 discovery endpoint
Entry point for TAXII 2.1 clients. Returns server metadata + a list of API roots. This is the URL you give your TAXII client (Splunk ES, Microsoft Sentinel, OpenCTI, MISP TAXII module).
What clients do with this
- Hit
/api/taxii2/to learn server identity + API root URLs - Hit each API root (
/api/taxii2/api/) to discover available collections - Poll each collection’s
/objects/endpoint to fetch STIX bundles
Integration walkthroughs
- Microsoft Sentinel: Data connectors → Threat Intelligence - TAXII → add server, paste discovery URL + API key
- Splunk ES: TA-TAXII2 add-on → input → server URL + Bearer token
- OpenCTI: TAXII 2.1 Connector → discovery URL + key
- MISP: Sync server type “TAXII 2.1” → discovery URL + key
GET
Discovery (no auth required for this endpoint)