Skip to content


The Intelligence Center also exposes a TAXII 2.1 server that conforms to the specification.

The discovery endpoint of the TAXII server is located at The API root of the TAXII server is located at TAXII relies on HTTP Basic Authentication. To authenticate to the TAXII server, you should use your Intelligence Center API key as the Basic Authentication password (you can use any username).

Here is an example of a script using the TAXII endpoints to iterate over objects:

import dbm
import requests
from basicauth import encode as basicauth_encode

# Replace with Intelligence Center API Key

# Replace with the TAXII URL copied from the "feeds" page

CURSOR_FILE = "cursor.db"

def get_new_objects(feed_url=FEED_URL, limit=2000, version="2.1"):
    has_more = True
    headers = {
        "Accept": "application/taxii+json",
        "Authorization": basicauth_encode("api", APIKEY),
    parameters = {"match[spec_version]": version, "limit": limit}

    # Use the builtin dbm module to save the cursors to disk
    with, "c") as cursors:
        while has_more:
            # If a cursor exists for this feed, add it to the parameters
            if feed_url in cursors:
                parameters["next"] = cursors[feed_url].decode("ascii")

            # Request the next batch of objects from the API, authenticate with the APIKEY
            response = requests.get(feed_url, headers=headers, params=parameters)
            data = response.json()

            has_more = data["more"]
            cursors[feed_url] = data["next"]

            yield from data["objects"]