Trend 安全威脅資訊饋送使用符合 TAXII 2.1 的表述性狀態轉移 (REST) 應用程式介面 (API) 提供即時安全威脅資訊。此 API 可將精選的結構化安全威脅資料整合到您的安全工作流程和工具中。
步驟
- 確保您擁有Trend Vision One API 權杖。請參閱設定趨勢安全威脅資訊供應 API。
- 識別您區域的 TAXII 2.1 探索 URL。地區TAXII 提要 URL美國https://api.xdr.trendmicro.com/v3.0/threatintel/feeds/taxii2歐盟https://api.xdr.trendmicro.com/v3.0/threatintel/feeds/taxii2新加坡https://api.sg.xdr.trendmicro.com/v3.0/threatintel/feeds/taxii2日本https://api.xdr.trendmicro.co.jp/v3.0/threatintel/feeds/taxii2澳大利亞https://api.au.xdr.trendmicro.com/v3.0/threatintel/feeds/taxii2印度https://api.in.xdr.trendmicro.com/v3.0/threatintel/feeds/taxii2阿拉伯聯合大公國https://api.mea.xdr.trendmicro.com/v3.0/threatintel/feeds/taxii2
- 確保請求包含這些必要的標頭:
-
Authorization: Bearer <yourvisiononeapitoken> -
Accept: application/taxii+json; version=2.1
-
- 使用上方區域性 TAXII 2.1 URL 表格查詢伺服器和 API 根端點。集合 ID 針對特定的安全威脅資料物件。
-
GET <TAXII_DISCOVERY_URL> -
檢索 API 根資訊:
GET <TAXII_DISCOVERY_URL>/api/collections -
列出集合:
GET <TAXII_DISCOVERY_URL>/api/collections
用途API 路徑URL 參數資料防護類型參數描述伺服器偵測GET /taxii2/取得 API 根資訊GET /taxii2/api/取得集合GET /taxii2/api/collections/取得集合GET /taxii2/api/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116取得 STIX 物件GET /taxii2/api/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/新增於字串,ISO8601 時間戳記僅返回date_added大於指定值的物件限制字串每頁物件數量預設:1,000最小值:1,000最大值:10,000比對[id]字串按特定物件 ID 篩選比對[type]字串按物件類型篩選下一步字串分頁標記以檢索下一頁結果取得 STIX 物件GET /taxii2/api/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/{object_id}新增於字串,ISO8601 時間戳記僅返回date_added大於指定值的物件取得物件清單GET /taxii2/api/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/manifest/新增於字串,ISO8601 時間戳記僅返回date_added大於指定值的物件限制字串每頁物件數量預設:1,000最小值:1,000最大值:10,000比對[id]字串按特定物件 ID 篩選比對[type]字串按物件類型篩選下一步字串分頁標記以檢索下一頁結果 -
- 請參考以下Python範例進行身份驗證並計算物件。套件:
import requests from taxii2client.v21 import Server DISCOVERY_URL = "<your regional TAXII discovery URL>" TOKEN = "<your Vision One API token>" class BearerAuth(requests.auth.AuthBase): def __init__(self, token): self.token = token def __call__(self, r): r.headers["Authorization"] = f"Bearer {self.token}" return r # Get server server = Server(DISCOVERY_URL, auth=BearerAuth(TOKEN)) print(f'Server title: {server.title}') print(f'API Roots: {server.api_roots}') # Get API root api_root = server.api_roots[0] print(f'\nAPI Root title: {api_root.title}') # Get collections collections = api_root.collections print('\nCollections:') for col in collections: print(f'- {col.title} (id: {col.id})') # Get collection collection = collections[0] # or collection = Collection(f'{DISCOVERY_URL}/api/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/, auth=BearerAuth(TOKEN)) print(f'\nCollection Info:\nID: {collection.id}\nTitle: {collection.title}') # Get manifest manifest = collection.get_manifest() print(f'\nManifest:\n{json.dumps(manifest, indent=2)}') # Get a STIX Object try: empty_object = collection.get_object('object-id') print(f'\nSTIX Object (empty):\n{json.dumps(empty_object, indent=2)}') except Exception as error: print(f'Object is not found: {error}') # Get STIX objects, single page objects = collection.get_objects() print('\nSTIX Objects:') for obj in objects['objects']: print(json.dumps(obj, indent=2)) # Get STIX objects with match["id"] objs_by_id = collection.get_objects(id='campaign--8e3e4a78-1b6c-4b4c-97c0-d90f5fcbdc12') print(f'\nSTIX Objects (with match["id"]):\n{json.dumps(objs_by_id, indent=2)}') # Get STIX objects with match["type"] objs_by_type = collection.get_objects(type='campaign') print(f'\nSTIX Objects (with match["type"]):\n{json.dumps(objs_by_type, indent=2)}') # Get STIX objects with as_pages print('\nSTIX Objects (as_pages):') yesterday = datetime.datetime.now() - datetime.timedelta(days=1) for i, bundle in enumerate(as_pages(collection.get_objects, added_after=yesterday, per_request=1000), 1): print(f'Page {i}: {len(bundle["objects"])} {bundle["objects"][-1]["created"]}')