What STIX 2.1 and TAXII 2.1 are

STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) are open standards maintained by OASIS, not proprietary formats owned by any vendor. STIX defines how to represent threat intelligence as structured JSON objects: indicators, sightings, campaigns, vulnerabilities, and the relationships between them. TAXII defines how to transport those objects over HTTPS using a RESTful API.

Together, they solve a fundamental interoperability problem. Instead of building custom integrations for every SIEM, threat intelligence platform, and orchestration tool, a single STIX/TAXII implementation works with any compliant consumer. Splunk, Microsoft Sentinel, Elastic, CrowdStrike, Palo Alto Cortex XSOAR, and dozens of others all speak TAXII natively.

Why DMARC data should flow into your SIEM

DMARC aggregate reports contain a wealth of threat data that most organizations leave siloed in their email security tool. The IP addresses sending unauthorized email as your domain, the authentication failure patterns, the volume trends, and the geographic distribution of spoofing activity are all signals that your SOC can correlate with other threat feeds.

An IP address that appears in your DMARC failures and also shows up in your firewall logs or endpoint detection alerts is a much higher-confidence indicator than either signal alone. Without SIEM integration, these correlations are invisible. Your email security team sees one piece of the puzzle while your SOC analysts see another, and nobody connects them.

SpoofSentry's four TAXII collections

SpoofSentry's built-in TAXII 2.1 server exposes four collections, each serving a specific category of threat intelligence derived from your DMARC data:

Threat Indicators — IP addresses, domains, and URLs with reputation data, confidence scores, and kill chain phase mapping
Sightings — Observed events linking indicators to your domain's email traffic, with timestamps and volume counts
Campaigns — Clustered spoofing campaigns with timeline reconstruction and attributed indicators
Vulnerabilities — DNS configuration weaknesses, authentication gaps, and policy misconfigurations

Each object includes standard STIX 2.1 properties: unique identifiers, creation and modification timestamps, confidence levels, and TLP marking definitions. Any TAXII 2.1-compatible client can poll the endpoint on its own schedule to retrieve new and updated objects.

Quick setup: three steps for each SIEM

Splunk

Install the Splunk Add-on for TAXII from Splunkbase. Configure a new TAXII 2.1 input with your SpoofSentry TAXII endpoint URL and API key. Select which collections to poll and set your preferred polling interval.

Microsoft Sentinel

Navigate to Data Connectors in the Sentinel portal. Search for "Threat Intelligence - TAXII" and configure the connector with your SpoofSentry TAXII server URL, collection IDs, and API credentials. Sentinel polls automatically and maps STIX objects to its ThreatIntelligenceIndicator table.

Elastic Security

In Kibana, go to Management and then Integrations. Add the Threat Intel module and configure a TAXII input pointing to your SpoofSentry endpoint. Indicators are indexed into the logs-ti_taxii_client.threat data stream and are immediately available for indicator match rules.

Why this costs $0 extra

STIX and TAXII are output formats, not premium features bolted on for additional revenue. SpoofSentry serializes the same threat data you already see in the dashboard into STIX 2.1 JSON bundles and serves them over a standards-compliant TAXII endpoint. There is no per-indicator pricing, no volume caps on API calls, and no separate licensing for SIEM integration. It is included in the Enterprise plan because enterprise teams need it.

Bring DMARC into your security operations

STIX/TAXII export is available on the SpoofSentry Enterprise plan. Navigate to the SIEM Feed page in your dashboard to configure the endpoint and test the connection.

Contact Sales for Enterprise View Plans