Support Center > Search Results > SecureKnowledge Details
Private ThreatCloud Custom Indicators and STIX/TAXII support Technical Level

Custom indicators

Private ThreatCloud (PTC) supports custom indicators of the following types: hash/domain/url/ip 

Custom indicators can be added/deleted in the following ways:

  1. Over REST from the Private ThreatCloud appliance
  2. Via STIX/TAXII packages from the Download Agent


Adding a custom indicator

Send a POST message to the URL: http://<ptc ip>/ptcd/customIndicators/add

request body format:


"indicator":"1AC222A9B2720E3D6669993AB788BDDD ",

"protection_name": "evil hash",


"severity": 3


Removing a custom indicator:

Send a POST message to the URL: http://<ptc ip>/ptcd/customIndicators/delete

request body format:




list custom indicators:

To see the indicators that were downloaded to the PTC either manually or through STIX/TAXII, Send a GET message to the URL:

http://<ptc ip>/ptcd/customIndicators/getLatest

count of custom indicators:

To see the number of indicators that were downloaded to the PTC either manually or through STIX/TAXII, Send a GET message to the URL:

http://<ptc ip>/ptcd/customIndicators/count

view a specific indicator:

Send a POST message to the URL: http:///ptcd/customIndicators/get

request body format:





The following scripts demonstrate adding/removing indicators over REST:

add_indicator <indicator> <protection_name> [<confidence>] [<severity>]

del_indicator <indicator>

They are available on the Private ThreatCloud appliance



PTC supports indicators from STIX/TAXII servers. Once the Taxii configuration is complete, the TAXII server will be polled periodically for new STIX packages

Supported versions:
STIX: 1.0, 1.1.1, 1.2
TAXII: 1.1
TLS: V1.0. For higher TLS versions, please contact PTC RnD team (In the next engine update, TLSv1.2 will be supported)

There are two new utilities to handle STIX/TAXII behavior:

1) taxiiconf - STIX/TAXII configuration

2) taxiioper - STIX/TAXII operations



Taxii configuration is done by the following steps:

1. add a TAXII server

taxiiconf server add <taxi_server_name> <taxii_server_url> [psca12_keystore:password] [username password]

    for example:

       taxiiconf server add taxii-server-1 root 123456



    2. define a collection on the server

    taxiiconf collection add <server_id> <collection_name>

    for example:

    taxiiconf collection add 12 collection1

    3. attach the collection to a policy
    The policy dictates the collection's confidence. There are 3 default policies with id range 1-3
    taxiiconf col_pol add <collection_id> <policy_id>

      for example:

      taxiiconf col_pol add 9 2



      view configuration 

      you can use 'taxiiconf config' to view your current configuration: servers, collections and policies.

      In the last section – 'effective configuration' you can see a summary of all Taxii collections/servers that will be polled for IoCs.


      taxiioper load  - manully load a local STIX package

      taxiioper load local <package_path>

      taxiioper delete - delete a custom indicator

      taxiioper delete <indicator>

      taxiioper stats - shows statistics for all configured collections

      additional configuration:
      On R80.20, the following command needs to be run on the Download Agent:
      chown nobody:nobody /var/log/downloads

      This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

      Give us Feedback
      Please rate this document