Access to this feature requires an addon.
Please contact your Customer Success Manager for more details.
Flare exposes Intelligence Feeds delivered via
TAXII 2. The
TAXII discovery endpoint is https://api.flare.io/taxii2/; point your TAXII
client at it and it will discover the available API roots and feeds below.
The match[type] parameter accepts one or more STIX object types (comma-separated,
e.g. ?match[type]=indicator,malware). The CTI SDO Feed serves the types
below; the relationship type is served exclusively by the CTI SRO Feed.Any value outside this list returns 400 Unsupported match[type].STIX 2.1 SDO types
match[type] value
Object
attack-pattern
Attack Pattern
campaign
Campaign
indicator
Indicator
infrastructure
Infrastructure
intrusion-set
Intrusion Set
location
Location
malware
Malware
report
Report
threat-actor
Threat Actor
tool
Tool
vulnerability
Vulnerability
Flare-specific extensionsThese are Flare extensions that have no standard STIX SDO counterpart.
match[type] value
Object
actor
Threat actor profile tracked by Flare
chat-channel
Monitored chat channel (e.g. Telegram)
forum-thread
Forum thread from a monitored source
match[type]=relationship is not valid on the CTI SDO Feed and returns a
400. STIX relationship objects are served by the CTI SRO Feed at
https://api.flare.io/taxii2/cti/relationships/collections/<TAXII 2 Collection ID>/.
The following example uses taxii2-client, which is
available on PyPI.
import datetimeimport osfrom taxii2client.v21 import ApiRootfrom taxii2client.v21 import Serverfrom taxii2client.v21 import as_pagesdef main() -> None: server = Server( "https://api.flare.io/taxii2/", user="api-key", # Do not change the user. password=os.environ["FLARE_API_KEY"], ) print(server.title) # Deprecated use the ApiRoot with /cti or /cti/relationship instead # api_root = ApiRoot( # url="https://api.flare.io/taxii2/", # user="api-key", # Do not change the user. # password=os.environ["FLARE_API_KEY"], # ) api_root = ApiRoot( url="https://api.flare.io/taxii2/cti/", # Add relationship to fetch SRO user="api-key", # Do not change the user. password=os.environ["FLARE_API_KEY"], ) start_date: datetime.datetime = datetime.datetime.now() - datetime.timedelta( hours=2 ) # Iterate through the available collections and print new items for collection in api_root.collections: print(collection.title) # Pagination request. for envelope in as_pages( collection.get_objects, per_request=50, added_after=start_date, ): print(envelope)if __name__ == "__main__": main()