cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
otsruss
Level 7
Report Inappropriate Content
Message 1 of 25
‎03-27-2015 07:42 AM

Cyber Threat Feeds

I have been testing the new 9.5.0 “Cyber Threat Feeds” functionality, and am looking for feedback. I have created several partner feeds (TAXII) to pull indicators and populate Watchlists by type.  As expected, we can utilize the Watchlists in correlation rules, filters, etc., but I am more interested in new functionality. Some observations:

1)      1) A back trace search is done for each individual observable in an indicator. For example; An indicator contains MD5 and FileName. The back trace will search for each MD5 and each FileName. Would an indicator to correlation rule make more sense?  

2)      2) I have developed a process to create STIX formatted indicators from SIEM alarms and push to a TAXII feed. Should this not be an alarm option?

3)     

Tw     3) Two-Way SSL support for feeds?

All in all, the new “Cyber Threat Feeds” functionality is a step in the right direction.

Comments?

Regards,

Joe

Reply
24 Replies
nikunjs
Level 7
Report Inappropriate Content
Message 2 of 25
‎04-17-2015 06:03 AM

Re: Cyber Threat Feeds

Hi Joe,

Do you have any documentation on how did you import TAXII feeds and can you please share process to create STIX formatted indicators from SIEM alarms to push to a TAXII feed?

My email is nikunj_shah@mcafee.com.

Thanks,

Nikunj.

0 Kudos
Reply
otsruss
Level 7
Report Inappropriate Content
Message 3 of 25
‎04-17-2015 07:16 AM

Re: Cyber Threat Feeds

Hello Nikunj,

The documentation is pretty straightforward. I have a feed (site) to an external partner to poll for new indicators\observables. I then have a feed (DB query) defined to allow the SIEM (9.5) to pull the indicators, append to watchlist, backtrace, log event, notify, etc.;  all pretty simple. The reverse is a little more tricky. I use alarms to trigger remote commands to a Unix VM. I then collect the event\alarm fields to populate (Perl) cyber observables (CybOX) with the resultant STIX XML being pushed (Python) to the TAXII sever. I then have a feed (DB query) for consumption by external partners. All this allows for sharing of indicators in real-time.

Regards,

Joe

0 Kudos
Reply
foofightersecur
Level 7
Report Inappropriate Content
Message 4 of 25
‎05-06-2015 08:07 AM

Re: Cyber Threat Feeds

Is the feed you are using a commercial one that you need to subscribe to, a free feed or partner feed that allows you to access without payment?

I have been having trouble finding a feed to use in our McAfee ESM.

0 Kudos
Reply
jal
Level 9
Report Inappropriate Content
Message 5 of 25
‎05-19-2015 09:48 AM

Re: Cyber Threat Feeds

This one is free

hail a taxii

Reply
feeeds
Level 9
Report Inappropriate Content
Message 6 of 25
‎05-26-2015 12:28 PM

Re: Cyber Threat Feeds

Have you guys looked at this app at all?   I am trying to figure out if its needed, it would seem to take some of the programming out of what we want to do.

In addition, can you share some screen shot of how you set up the feeds in the ESM to use the Hailataxii data? When I add a feed in the cyber threat manager it only asks for a source.

thanks

https://soltra.com/

0 Kudos
Reply
jal
Level 9
Report Inappropriate Content
Message 7 of 25
‎05-27-2015 06:45 AM

Re: Cyber Threat Feeds

From what I understand, Soltra is a TAXII implementation.

So it would make sense to get a Soltra/TAXII installation on premises.

0 Kudos
Reply
Regis
Level 12
Report Inappropriate Content
Message 8 of 25
‎06-22-2016 10:50 AM

Re: Cyber Threat Feeds 


feeeds wrote:


Have you guys looked at this app at all?   I am trying to figure out if its needed, it would seem to take some of the programming out of what we want to do.

In addition, can you share some screen shot of how you set up the feeds in the ESM to use the Hailataxii data? When I add a feed in the cyber threat manager it only asks for a source.


thanks

https://soltra.com/

Soltra we needed at one client as the feed provider required 2-way SSL auth which ESM doesn't currently support.

This isn't what you asked, but getting hailataxi data  (username guest,  no password)  into Soltra Edge seemed relatively straightforward, and once we added it as a Site,  it gave us a big list of various Feeds available.   Haven't tried a direct hailataxi into ESM yet though. 

I had a rather disappointing support experience with platinum today when asking about pulling a TAXII feed domain watch list in,  and wanting to know whether the target watchlist for the feed should be of watchlist type domain vs web_domain.    I'm continuing to look at that trying to get Soltra -> ESM  domain watchlist imports to work.     We got IP address sorts of goodies off FS-ISAC into Soltra yesterday and  then into an ESM watchlist of type Attacker_IP.  

soltra.PNG

0 Kudos
Reply
japie
Level 9
Report Inappropriate Content
Message 9 of 25
‎05-27-2015 06:36 AM

Re: Cyber Threat Feeds

Hi Jal

Have you managed to get Hailataxii working?

I configued it today. The IOC files downloaded are empty.

Also the following messages:

May 27 13:29:04 McAfee libJobServer.so[4231]: (29733) Info: Cyber Threat file /usr/local/ace/IOCOutput/rawIOC_2015_05_27_13_29_00_01C1762B42.xml contains no data.

Also looked at the XMl file and it is empty.

<?xml version="1.0"?>

<taxii_11:Status_Message status_type="NOT_FOUND" in_response_to="1" message_id="50992" xmlns:tdq="ht...<taxii_11:Message>

Feed not found</taxii_11:Message>

</taxii_11:Status_Message>

Anyone have this working?

We are on 9.5.0 MR2


Thanks,

Japie

Reply
jal
Level 9
Report Inappropriate Content
Message 10 of 25
‎05-27-2015 06:43 AM

Re: Cyber Threat Feeds

Sadly, not,

I have an issue with a proxy related bug in the ESM, so I can't use it, right now. Upgrade to the latest MR pending.

Note: Soltra is the publisher of hailataxii.com  ? Hailataxii and Libtaxii Demo · STIXProject/schemas Wiki · GitHub

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC