Add to TAXII Collections (Form View)

  • Release version: Zurich
  • Updated November 25, 2025
  • 4 minutes to read

    • The Add to TAXII Collections feature on the observable form view, allows analysts to add selected observables and their related entities directly to TAXII collections.

    Before you begin

    Role required: sn_sec_tisc.analyst

    About this task

    Following is the procedure that shows how to add TAXII collections to an observable.

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center > Threat Intel Library > Observables > All Observables.
    2. Select the observable(s).
      Note:
      The Add to TAXII Collections button is not available if you select All Observables. To enable this button, you must select a specific observable type, for example Email Message.
    3. Open any observable record.
    4. Click Add to TAXII Collections button.
    5. Select the TAXII Collections sample template.

      All the templates configured on the Outbound Intel Sharing page appear here, allowing you to select the one you need. For more information, see Configuring Outbound Intel Sharing Templates.

      On the Observable Form View, you also have an option to include the associated related record(s) when adding a record to a TAXII Collection. If the selected record has related intelligence such as campaigns, indicators, malware, or other associated entities then they are displayed as part of the related records list, under the Related Records section of the form view.

      Threat Intel Library list view: In the Threat Intelligence Library list view, you can select multiple records at a time to add them to a TAXII Collection. However, the option to Add Linked Related Records is not available which means only the selected records will be processed to the next step.

      In the Form View, when you open an individual observable record, you can see all of its linked related records such as associated campaigns, indicators, malware, or other connected intelligence. When you choose Add to TAXII Collections from the Observable form view, an additional check box appears as explained in the next step.

      In addition, on the Observable Form View, if you also have an option to include the associated MITRE Technique related record(s) when adding a record to a TAXII Collection then they are associated and displayed as part of the related records list, under the Related Records section of the form view, and then the records are shared to the intelligence using two different methods such as Add to TAXII Collections by adding them to a configured collection, for more information, see Exploring TAXII Outbound Server and Outbound Intelligence Sharing which allows you to share the selected techniques and related intelligence directly with configured sharing channels. For more information, see Configuring Outbound Intel Sharing Controls
      Note:
      Before you can share MITRE techniques whether through Add to TAXII Collections or Outbound Share Intelligence, the corresponding MITRE technique records must already exist in the Threat Intelligence Library. Only when the techniques are present in the library then they can be correctly associated and shared through either sharing methods.
      MITRE Techniques Related Records
    6. Select Automatically link related records of the selected intelligence as well check box if you've to link the related records to the TAXII collections.

      Add to TAXII Collections form view

    7. Select Add.
      You will be prompted to select a template. Any templates you’ve previously created will be listed here for you to select.
    8. Once you have selected the template select Add.
      A TAXII collection addition job record is created to track the action.
    9. Click on the job record to view its details.
      You will see the specific records that have been successfully added to the TAXII Collection.

      This process confirms which intelligence items were shared and provides an auditable record of the action.

      Note:
      A system property sn_sec_tisc.add_to_taxii_collection_entity_threshold defines the maximum number of entities (observable records) that can be added to a TAXII Collection in a single request. The system enforces a hard limit of 10000 entities.
    10. Select the Record section of the job record.
    11. Drill down to the TAXII Collection Records section.
      You will notice that the selected observable(s) are added to the TAXII collection and you will also see the exclusion rules.

      Exclusion rules define which records or data should not be included when adding items to a TAXII Collection, ensuring that only the intended intelligence is shared. Each template comes with its own sharing template controls, which specify the attributes and information to include or exclude during sharing.

      In addition, exclusion rules also allows you to automatically prevent certain records from being added to a TAXII Collection.

      Any records that match the criteria defined in these rules are excluded and cannot be shared. For example, if a global exclusion rule is configured to block domains with a specific status, such as red or clear, any record matching that condition will be automatically excluded.

      When you attempt to add such records to a TAXII Collection, the application will indicate that they have been excluded (see the screenshot below), ensuring that only the intended and allowed intelligence is shared. For more information on the exclusion rules, see Configuring Outbound Intel Data Exclusion Rule.

      Excluded records on Add to TAXII Collections

    What to do next

    Once you add the records to the TAXII collections, navigate to Administration > TAXII Outbound Server > TAXII Collections to view the added records under the TAXII Collection Records section. For more information, see Exploring TAXII Outbound Server and Viewing TAXII Collection Records.