Questions About the TAXII2 Data Connector

New Contributor

Hi there,


I am currently working on developing a TAXII2 server implementation and plan to connect it to my Sentinel instance. I have done a number of tests and I can currently feed in most indicators, but still have some questions and want to get a better idea of how the connector works.


  1.  Can the Azure Sentinel connector also accept STIX2 observed data objects? I remember watching a webinar presented by Jason Wescott where he said you can feed in observed data and indicators CTIs into Sentinel but I have not been able to achieve this. I have tried both the deprecated STIX v2.0 objects property and the STIX v2.1 object_refs, but neither seem to completely work 100%. Using the object_refs property does result in some of the data being imported in, but not all of it.
  2. What is the naming convention for file hash types used by the Sentinel TAXII client? I have tried the format specified in the TAXII2 specification, but Sentinel cannot correctly identify the hash type and just says it is Unknown. For an example if Sentinel tries to import the following pattern: 


"[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']"​


It will correctly get the hash from the pattern, but cannot identify that the hash is of type SHA-256.

  • How frequent does the data connector check for updates on the TAXII2 server? When I make a new connection, it gets all of the STIX2 objects stored on the TAXII2 server, then does not check for some time. Other times it starts checking periodically every minute.

Those are the main questions I have about the connector for now, I will probably be back soon with more.

1 Reply

Tagging @Jason Wescott to look into