SOCRadar Threat Intelligence (TAXII)

The SOCRadar Threat Intelligence (TAXII) integration connects to SOCRadar's TAXII 2.1 server and collects threat intelligence indicators in STIX 2.1 format. The indicators are mapped to the Elastic Common Schema (ECS) and indexed into Elasticsearch for use in detection rules, indicator-match enrichment, and threat hunting.

This integration is compatible with the SOCRadar TAXII 2.1 server and has been tested against Elastic Stack 8.18.0 and later.

The Elastic Agent uses the CEL input to poll SOCRadar TAXII collections in round-robin fashion. On each interval tick, one collection is fetched: the agent sends added_after and (where applicable) the TAXII next cursor for pagination, then forwards each STIX object to the ingest pipeline. The pipeline parses the STIX pattern per indicator type (IP, domain, URL, file hash, email, ASN, Windows registry key, x509 certificate) and maps the fields to ECS threat.indicator.*. Non-ECS STIX fields are namespaced under ti_socradar_taxii.stix.*.

This integration collects a single data stream:

• indicator: STIX 2.1 indicator objects from SOCRadar's TAXII server. Each indicator is emitted with event.kind: enrichment and mapped to ECS threat.indicator.* fields. Supported indicator types: IPv4/IPv6 addresses, domain names, URLs, file hashes (MD5, SHA-1, SHA-256, SHA-384, SHA-512), email addresses, autonomous-system numbers, Windows registry keys, and x509 certificates.

The integration also installs a latest_ioc transform that deduplicates the source stream into logs-ti_socradar_taxii_latest.indicator, keeping the most recent state per STIX object ID for use in indicator-match detection rules.

• Enriching alerts in Elastic Security with STIX-based threat indicators.
• Driving indicator-match detection rules from the deduplicated latest-state index.
• Building dashboards and reports over current threat landscape activity.

• A self-managed or Cloud Elastic deployment with Elastic Stack 8.18.0 or later.
• An Elastic Agent enrolled in Fleet (Fleet-managed deployment is recommended; agentless deployment is also supported).
• A SOCRadar Platform account with TAXII 2.1 access (contact SOCRadar support to enable it).
• TAXII credentials (username and password) issued by SOCRadar.
• The API root(s) and collection ID(s) you want to ingest from. SOCRadar provides three API roots: radar_alpha, radar_gamma, and radar_premium. Collection IDs can be discovered via the SOCRadar Platform UI under Threat Intelligence → TAXII Collections.

This integration is deployed using the Elastic Agent. See the general Observability getting started guide for an end-to-end overview of installing the Agent and adding integrations.

1. In Kibana, navigate to Management > Integrations and search for "SOCRadar TAXII".
2. Click Add SOCRadar TAXII.
3. Configure the following settings:
   • SOCRadar TAXII Base URL: Default https://taxii2.socradar.com. Change only if SOCRadar provides a different host.
   • Collections Configuration: YAML list of {api_root, collection_id} pairs. The agent polls one collection per Interval tick in round-robin fashion. Collections from different API roots can be mixed in a single integration policy. Example:

     - api_root: "radar_alpha"
       collection_id: "fd3fec42-efee-4353-85b2-cb87f9acc4ef"
     - api_root: "radar_gamma"
       collection_id: "00000000-0000-0000-0000-000000000010"
     - api_root: "radar_premium"
       collection_id: "00000000-0000-0000-0000-000000000050"
     		

     If an entry is invalid the tick is skipped (the input does not stall) and polling continues with the next collection on the next tick. The error is recorded as an event with error.code and error.message.
   • Username: SOCRadar TAXII username (HTTP Basic authentication).
   • Password: SOCRadar TAXII password. Stored as a policy secret and masked in the UI.
   • Interval: Time between polling cycles (default 5m). With N collections, each individual collection is refreshed roughly every N × Interval.
   • Initial Interval: How far back to look on first start (default 10h).
   • IOC Expiration Duration: How long indicators remain valid after their last seen timestamp (default 90d).
   • Limit: Max STIX objects per TAXII request (default 1000). The agent paginates a single collection using the TAXII next cursor before round-robin advances to the next collection.
   • Proxy URL (optional): If you need to connect through a proxy.
   • SSL Configuration (optional): Custom SSL settings if needed.
4. Both Fleet-managed and agentless deployment modes are supported.
5. Click Save and continue to deploy the integration.

After deployment, verify that data is flowing:

1. In Kibana, open Discover and select the logs-ti_socradar_taxii.indicator-* data view. Documents should start appearing within one Interval.
2. Check the latest_ioc transform under Stack Management → Transforms: the state should be started and documents_processed should grow over time.
3. Open the [SOCRadar TAXII] IOC Overview dashboard to see indicator counts, types, and feed sources.

1. Verify TAXII credentials are correct (username and password URL-encoded if they contain special characters).
2. Check that the collection is reachable and contains indicators.
3. Inspect Elastic Agent logs for connection errors. 401/403 indicates invalid or expired credentials; timeout indicates network or proxy issues.

Check the failure store: GET .fs-logs-ti_socradar_taxii.indicator-*/_count. The expected value is 0. If non-zero, query the failure store for error.message to identify the offending field or document.

1. Check the event.original field for the raw STIX document.
2. Verify the STIX spec_version is 2.1 (other versions are dropped).
3. Inspect error.message for the specific parser error.

The logs-ti_socradar_taxii.latest_ioc-default-0.1.0 transform deduplicates indicators into the logs-ti_socradar_taxii_latest.indicator-* index. If documents_processed stays at 0 for more than Interval × 2, restart the transform from Stack Management → Transforms.

For SOCRadar-side issues (collection availability, TAXII credential permissions), consult the SOCRadar Platform documentation.

The CEL input fetches one collection per Interval tick; the polling cost scales linearly with the number of configured collections. For environments with many collections, increase Interval rather than running many tightly-packed ticks, and split very large collection sets across multiple integration policies on separate agents.

A single collection is paginated using the TAXII next cursor with the configured Limit (default 1000 objects per request). Pagination of a single collection completes before the next collection is polled.

The latest_ioc transform runs every 60 seconds and indexes one document per unique STIX object ID; cluster sizing should account for the deduplicated indicator count rather than the raw event volume.

{
    "@timestamp": "2026-02-17T12:00:00.000Z",
    "agent": {
        "ephemeral_id": "43af6da1-b18c-4817-8688-f525c200d434",
        "id": "8257fe94-2ac6-48cf-bd18-2ded67e2c463",
        "name": "elastic-agent-58386",
        "type": "filebeat",
        "version": "8.18.0"
    },
    "data_stream": {
        "dataset": "ti_socradar_taxii.indicator",
        "namespace": "default",
        "type": "logs"
    },
    "ecs": {
        "version": "8.17.0"
    },
    "elastic_agent": {
        "id": "8257fe94-2ac6-48cf-bd18-2ded67e2c463",
        "snapshot": false,
        "version": "8.18.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "threat"
        ],
        "dataset": "ti_socradar_taxii.indicator",
        "id": "indicator--c3d4e5f6-a7b8-9012-cdef-123456789012",
        "ingested": "2026-02-17T12:05:00Z",
        "kind": "enrichment",
        "original": "{\"confidence\":50,\"created\":\"2026-02-17T12:00:00.000Z\",\"created_by_ref\":\"identity--socradar-taxii-feed\",\"description\":\"Malicious file hash detected by SOCRadar\",\"id\":\"indicator--c3d4e5f6-a7b8-9012-cdef-123456789012\",\"labels\":[\"osint\"],\"lang\":\"en\",\"modified\":\"2026-02-17T12:15:00.000Z\",\"name\":\"d7a8fbb307d7809469ca5ce888b23a65f06e4563cc956e73e82f5c72c865aab6\",\"pattern\":\"[file:hashes.'SHA-256' = 'd7a8fbb307d7809469ca5ce888b23a65f06e4563cc956e73e82f5c72c865aab6']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2026-02-17T12:00:00.000Z\",\"valid_until\":\"2026-08-17T12:00:00.000Z\"}",
        "type": [
            "indicator"
        ]
    },
    "input": {
        "type": "cel"
    },
    "related": {
        "hash": [
            "d7a8fbb307d7809469ca5ce888b23a65f06e4563cc956e73e82f5c72c865aab6"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "ti_socradar_taxii-indicator",
        "osint"
    ],
    "threat": {
        "feed": {
            "name": "SOCRadar TAXII",
            "reference": "https://platform.socradar.com"
        },
        "indicator": {
            "confidence": "High",
            "description": "Malicious file hash detected by SOCRadar",
            "file": {
                "hash": {
                    "sha256": [
                        "d7a8fbb307d7809469ca5ce888b23a65f06e4563cc956e73e82f5c72c865aab6"
                    ]
                }
            },
            "first_seen": "2026-02-17T12:00:00.000Z",
            "last_seen": "2026-02-17T12:15:00.000Z",
            "modified_at": "2026-02-17T12:15:00.000Z",
            "name": "d7a8fbb307d7809469ca5ce888b23a65f06e4563cc956e73e82f5c72c865aab6",
            "provider": "SOCRadar",
            "type": "file"
        }
    },
    "ti_socradar_taxii": {
        "stix": {
            "confidence": 50,
            "created": "2026-02-17T12:00:00.000Z",
            "created_by_ref": "identity--socradar-taxii-feed",
            "id": "indicator--c3d4e5f6-a7b8-9012-cdef-123456789012",
            "ioc_expiration_date": "2026-08-17T12:00:00.000Z",
            "ioc_expiration_duration": "90d",
            "ioc_expiration_reason": "Expiration set from valid_until field",
            "lang": "en",
            "modified": "2026-02-17T12:15:00.000Z",
            "pattern": "[file:hashes.'SHA-256' = 'd7a8fbb307d7809469ca5ce888b23a65f06e4563cc956e73e82f5c72c865aab6']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "spec_version": "2.1",
            "type": "indicator",
            "valid_from": "2026-02-17T12:00:00.000Z",
            "valid_until": "2026-08-17T12:00:00.000Z"
        }
    }
}
		

• CEL input: Polls the SOCRadar TAXII 2.1 server with added_after filtering, multi-collection round-robin selection, and TAXII next cursor pagination.

• GET /{api_root}/collections/{collection_id}/objects/?added_after={ts}&limit={n} — Returns a STIX 2.1 envelope of indicator objects.
• GET /{api_root}/collections/{collection_id}/objects/?next={cursor}&limit={n} — Returns the next page of a collection.

STIX confidence (0-100) is mapped to ECS threat.indicator.confidence:

By default, indicators expire 90 days after their last seen timestamp. The behavior is controlled by IOC Expiration Duration:

• If valid_until is present in the STIX object, it is used as the expiration date.
• Otherwise the expiration is calculated as modified + ioc_expiration_duration.
• Expired indicators are marked in ti_socradar_taxii.stix.ioc_expiration_reason.

• [SOCRadar TAXII] IOC Overview — KPI metrics (Total Indicators, Unique STIX IDs, IOC Types, Feed Sources) and visualizations (Indicators by Type, Indicators by Feed Source, Indicators by Confidence, Indicators Over Time, Feed Source Breakdown, Recent Indicators).

• TAXII 2.1 Specification
• STIX 2.1 Specification
• Elastic Threat Intelligence Integration Guide