Skip to content
Mimir

Custom STIX/TAXII feeds (incl. AlienVault OTX)

Custom STIX/TAXII feeds (incl. AlienVault OTX)

Mimir’s “custom STIX/TAXII” path connects to any TAXII 2.1 server. This is the path you use for AlienVault OTX (free, requires an account) and for any commercial CTI vendor that publishes a STIX/TAXII feed — Mandiant Threat Intelligence, Anomali ThreatStream, ThreatConnect, IBM X-Force, Recorded Future, CrowdStrike Falcon Intelligence, and many ISAC information-sharing programs.

This page covers:

  • What STIX and TAXII are, and what kind of feeds use them
  • How to set up AlienVault OTX (most common starting point)
  • How to set up other commercial vendors (the pattern is the same)
  • API key handling, security model, troubleshooting

If you’re new to threat feeds, start with built-in feeds (no account, no setup) and MISP feeds (no account, broader coverage). Come back here when you’re ready to add OTX or a commercial vendor.

What STIX and TAXII are

STIX 2.1 (Structured Threat Information eXpression) is the OASIS-standard format for representing threat intelligence — indicators, attack patterns, threat actors, malware family relationships, campaigns, observed data. It’s the JSON schema that everyone in the CTI industry agreed on so feeds and tools can interoperate.

TAXII 2.1 (Trusted Automated eXchange of Intelligence Information) is the matching transport protocol. It’s a small set of REST endpoints for discovering what feeds a server publishes, polling them, and receiving STIX content. Authentication is typically a bearer token (API key) but the spec also supports HTTP Basic auth and mutual TLS.

Together STIX/TAXII is the most widely-supported CTI exchange standard. If a CTI vendor or community publishes a feed and lets you “subscribe” or “ingest,” they almost certainly do it via TAXII 2.1.

What you get

When you connect a TAXII feed, Mimir polls it on your schedule and imports the indicator types it knows how to match — file hashes, domains, IPs, URLs. STIX content beyond simple indicators (attack patterns, threat-actor descriptions, kill-chain mappings) is acknowledged but not currently surfaced as standalone alert sources.

The downstream pipeline is identical to other feed types: 90-day historical scan on import, real-time matching going forward, confidence decay (5 points/day, deactivate below 20). See the built-in feeds guide for the full IOC lifecycle.

AlienVault OTX (free, account required)

The most popular free STIX/TAXII feed is AlienVault OTX (Open Threat Exchange, now part of LevelBlue). It’s a community-curated feed with broad coverage across malware families, phishing campaigns, APT activity, and emerging threats. Hundreds of thousands of active indicators across multiple collections. The “AlienVault Labs” curated collection alone delivers a few hundred fresh indicators per day.

OTX is free but requires an account. Setup takes about five minutes:

Step 1: Create an OTX account

Go to otx.alienvault.com and sign up. Email verification is enough — no payment, no enterprise tier, no phone number. The free tier has full read access to the AlienVault Labs collection plus the ability to subscribe to other community “pulses” (curated indicator sets published by other OTX users).

Step 2: Copy your API key

Once logged in, click your username (top right) and choose API integration. Your API key is a 64-character hex string.

Treat the key like a password Anyone with the key can read every collection your account has access to and can post pulses on your behalf. Don’t share it, don’t paste it into chat or email, and rotate it (regenerate on the OTX side) if you suspect it was leaked.

Step 3: Add the feed in Mimir

  1. Open Settings → Threat Feeds.
  2. Click Add custom STIX/TAXII feed.
  3. Fill in the form:
    • NameAlienVault OTX (or whatever you’ll recognize in the alerts and feeds tables).
    • TAXII URLhttps://otx.alienvault.com/taxii/. This is OTX’s discovery endpoint. Don’t worry about the deeper /objects/ URL — Mimir’s “Discover collections” handles that.
    • API key — paste your 64-character key.
    • Poll interval — leave at 60 minutes. OTX rate-limits aggressive pollers and will return misleading 404s if you go too fast. Don’t go below 30 minutes for OTX.
  4. Click Discover collections. After a moment Mimir queries OTX and shows the available collections.
  5. Click Use next to Data feed for user: AlienVault — that’s the curated AlienVault Labs feed, freely readable, the most useful default.
  6. The TAXII URL field auto-updates to the specific objects endpoint for that collection. The Add feed button turns active.
  7. Click Test connection to verify. You should see a green banner: “OK — found N indicator(s) in M STIX object(s)”.
  8. Click Add feed.

The first poll runs within a minute. Initial sync walks up to 20 pages and can take 30-60 seconds for the AlienVault Labs collection.

Step 4: Pick the right OTX collection

OTX exposes three collections per account:

CollectionContainsWhen to add
Data feed for user: AlienVaultCurated AlienVault Labs indicatorsAlways. This is the default starting point.
Your pulse subscriptionOnly OTX pulses you’ve explicitly subscribed to via the OTX websiteAfter you’ve spent time on OTX subscribing to publishers you trust
Data feed for user: your-usernameYour own pulsesOnly if you author pulses on OTX

For most admins, the AlienVault Labs collection is enough. If you want more coverage, spend an hour browsing OTX pulses and subscribing to publishers whose work you find relevant — sector-specific analysts, your country’s CERT, vendors whose research you respect. Then add the “Your pulse subscription” collection as a second feed in Mimir.

OTX 404 quirk OTX’s CDN sometimes returns a misleading 404 if Mimir polls too aggressively. Mimir auto-retries once after 5 seconds, so transient 404s in the Recent polls drawer are normal and self-heal within a few minutes. If 404s persist, increase your poll interval.

Other commercial CTI vendors

Configuration shape is identical for any TAXII 2.1 vendor:

  1. Get a TAXII URL and API key from the vendor portal. Each vendor has their own UI for this — check their developer docs.

  2. In Mimir, click Settings → Threat Feeds → Add custom STIX/TAXII feed.

  3. Paste the URL and key, click Discover collections, pick the collection you’ve licensed, save.

Common vendors:

  • Mandiant Threat Intelligence — comprehensive coverage, including APT attribution and finished intelligence reports. Tier-based pricing.
  • Anomali ThreatStream — aggregator, gives you access to many feeds via one TAXII endpoint. Per-feed licensing.
  • ThreatConnect — strong at TTPs and attack patterns alongside raw IOCs.
  • IBM X-Force Exchange — broad coverage, good integration with IBM security stack but works standalone.
  • Recorded Future — large-scale collection from open and dark web sources, premium pricing.
  • CrowdStrike Falcon Intelligence — strong on adversary attribution. CrowdStrike customer required.

Vendor-specific quirks (rate limits, custom auth flows beyond bearer tokens, paginated batch sizes, attribute mapping conventions) are documented in each vendor’s developer docs. Mimir handles standard TAXII 2.1 — anything that deviates may need a vendor-supplied bridge or a wrapper. If you find a vendor whose feed doesn’t connect cleanly, their support team typically has integration docs for “TAXII 2.1 clients.”

API key handling

API keys are encrypted at rest using AES-256-GCM and never exposed in the UI after save. The encryption key is unique per Mimir deployment; keys imported from one tenant cannot be decrypted by another. The ciphertext lives in the ioc_sources.api_key database column.

When you edit a feed, the key field shows •••••••• — leave it blank to keep the existing key, or type a new one to replace it. There is no “reveal key” button by design; if you need to retrieve the key for use elsewhere, generate a new one on the vendor side and replace it in Mimir, rather than trying to extract the existing one.

If you suspect a key was leaked:

  1. Rotate it on the vendor side first. Generate a new key and revoke the old one in the vendor portal. This is the urgent step — until you do this, the leaked key continues to work.
  2. Then update Mimir. Edit the feed and paste the new key.

Don’t delete-and-re-add the feed unless you also want to re-import all indicators from scratch. Editing keeps the feed’s import history and confidence-decay state intact.

Confidence decay

Same model as all other feed types: imported IOCs decay 5 confidence points per day, deactivate at 20, refresh on every successful poll. This keeps a long-running feed from accumulating stale indicators that produce noisy alerts on infrastructure that’s been clean for months.

For commercial feeds especially, this is important — you don’t want to pay for a vendor’s premium intelligence and then have it produce false positives on indicators the vendor stopped considering active six months ago. Confidence decay handles that automatically without you doing anything.

Choosing a poll interval

Different feeds have different update tempos:

FeedTypical interval
AlienVault OTX60 minutes (don’t go below 30 — rate limits)
Mandiant Threat Intelligence60-240 minutes
Anomali ThreatStreamDepends on the licensed feeds; check vendor guidance
Vendor-specificCheck vendor docs; many publish “recommended polling cadence”

Most commercial vendors publish guidance on polling cadence. If you exceed it, you’ll typically see rate-limit errors in the Recent polls drawer. Decreasing the interval to match vendor guidance fixes them.

Discovery walk

The Discover collections button is what makes “paste any TAXII URL and Mimir figures out the rest” work. When you click it, Mimir:

  1. Examines the URL you provided.
  2. Walks the TAXII server’s discovery hierarchy: discovery → API roots → collections → individual collection objects endpoint.
  3. Returns the list of collections your account can read, with names, descriptions, and a can_read flag per collection.

This means you can paste a high-level discovery URL (like OTX’s /taxii/) or a specific objects URL (like the one you’d get from a vendor’s developer docs) and Mimir figures out which it is. The Use button on each discovered collection auto-fills the proper objects URL into the form.

Troubleshooting

“This collection is not readable with the supplied API key” The collection’s can_read flag is false for your account. Pick a different collection. For OTX, the AlienVault Labs collection is always readable for any account; for commercial vendors, check which collections your license includes.

“Found only 1 collection during Discover” (OTX) You forgot to enter your API key. Without authentication, OTX exposes only the public AlienVault Labs collection. Add the key, click Discover again, you should see 3 collections.

“server returned 401” or “403” Your API key is wrong, expired, or doesn’t have permission to read the requested collection. Verify on the vendor portal — log in, check that the key is active, and confirm your account has access to the collection.

“server returned 500” when adding an OTX feed You probably pasted https://otx.alienvault.com/taxii/discovery — the legacy TAXII 1.x URL which OTX has retired. Use https://otx.alienvault.com/taxii/ (no /discovery, with the trailing slash). Mimir auto-walks this to the modern TAXII 2.1 endpoint.

Persistent 404s on a working feed OTX rate-limits aggressive pollers and returns misleading 404s when throttling. Mimir auto-retries once after 5 seconds. If 404s persist, wait 5-10 minutes (the throttle clears on its own) then click Poll now. If they still happen, increase your poll interval.

The feed paused itself Long failure streaks auto-disable a feed to prevent repeated noisy errors. Click Edit, fix the underlying issue (rotate the key, verify the URL, check the vendor portal for service notices), then Resume.

“URL points to a TAXII discovery endpoint…” when you click Add feed You skipped the Discover collections step. The Add feed button requires a specific objects URL (one collection’s data endpoint), not a discovery URL. Click Discover collections, pick a collection with Use, then save.

An indicator is too noisy in my environment Open Indicators, filter by source, find the indicator, click Deactivate. The deactivation is preserved across future re-imports. Especially common with broad-coverage commercial feeds that include some indicators that are legitimate in specific environments (CDN IPs, cloud-hosting netblocks).

Replacing or removing the feed

  • Edit changes name, URL, key, or interval. Leave the API key field blank to keep the existing key — typing anything replaces it.
  • Pause stops polling without losing any imported IOCs.
  • Remove deletes the feed but keeps the IOCs (they become orphaned with no source attribution).

If you also want to wipe the imported IOCs, filter the Indicators page by source before removing the feed, then bulk-delete.

Where to next

  • Built-in feeds (abuse.ch) — free, no account, complement OTX with commodity-malware coverage.
  • MISP feeds — free, no account, complement OTX with European- and ISAC-centric coverage.
  • Indicators page — search across all feeds, deactivate noisy IOCs, inspect each indicator’s source attribution.
  • OTX websiteotx.alienvault.com/browse/global/pulses to browse community pulses and find publishers worth subscribing to (subscriptions show up in your “pulse subscription” collection).