Poll a TAXII 2.1 server for STIX indicators

Verified steps

1. Obtain credentials from the TAXII server operator — TAXII 2.1 servers commonly use HTTP Basic authentication, where the client encodes credentials and sends them in the Authorization header using the Basic scheme; obtain the exact authentication method and any required headers from the server's documentation.
2. Discover available collections by sending a GET request to the server's discovery endpoint (commonly /taxii2/) and then to the collections endpoint for the relevant API root; set the Accept header to application/taxii+json;version=2.1 on all requests.
3. Identify the collection ID containing the indicators you want and send a GET request to /api/v21/collections/{collection_id}/objects/ (path format varies by implementation) with the Accept header set to application/taxii+json;version=2.1.
4. On subsequent polls, add the added_after query parameter set to the RFC 3339 timestamp of your last successful poll to retrieve only new or updated objects; this enables incremental ingestion without re-fetching the entire collection.
5. Parse the STIX 2.1 bundle in the response; filter for objects where type is indicator and extract the pattern field (a STIX patterning expression), valid_from, and valid_until fields for operationalizing the indicator.
6. Schedule polling at a regular interval (typically 15–60 minutes) and store the last successful poll timestamp persistently so incremental polling survives restarts.