I have been testing the new 9.5.0 “Cyber Threat Feeds” functionality, and am looking for feedback. I have created several partner feeds (TAXII) to pull indicators and populate Watchlists by type. As expected, we can utilize the Watchlists in correlation rules, filters, etc., but I am more interested in new functionality. Some observations:
1) 1) A back trace search is done for each individual observable in an indicator. For example; An indicator contains MD5 and FileName. The back trace will search for each MD5 and each FileName. Would an indicator to correlation rule make more sense?
2) 2) I have developed a process to create STIX formatted indicators from SIEM alarms and push to a TAXII feed. Should this not be an alarm option?
3)
Tw 3) Two-Way SSL support for feeds?
All in all, the new “Cyber Threat Feeds” functionality is a step in the right direction.
Comments?
Regards,
Joe
Hi Joe,
Do you have any documentation on how did you import TAXII feeds and can you please share process to create STIX formatted indicators from SIEM alarms to push to a TAXII feed?
My email is nikunj_shah@mcafee.com.
Thanks,
Nikunj.
Hello Nikunj,
The documentation is pretty straightforward. I have a feed (site) to an external partner to poll for new indicators\observables. I then have a feed (DB query) defined to allow the SIEM (9.5) to pull the indicators, append to watchlist, backtrace, log event, notify, etc.; all pretty simple. The reverse is a little more tricky. I use alarms to trigger remote commands to a Unix VM. I then collect the event\alarm fields to populate (Perl) cyber observables (CybOX) with the resultant STIX XML being pushed (Python) to the TAXII sever. I then have a feed (DB query) for consumption by external partners. All this allows for sharing of indicators in real-time.
Regards,
Joe
Is the feed you are using a commercial one that you need to subscribe to, a free feed or partner feed that allows you to access without payment?
I have been having trouble finding a feed to use in our McAfee ESM.
This one is free
Have you guys looked at this app at all? I am trying to figure out if its needed, it would seem to take some of the programming out of what we want to do.
In addition, can you share some screen shot of how you set up the feeds in the ESM to use the Hailataxii data? When I add a feed in the cyber threat manager it only asks for a source.
thanks
From what I understand, Soltra is a TAXII implementation.
So it would make sense to get a Soltra/TAXII installation on premises.
feeeds wrote:
Have you guys looked at this app at all? I am trying to figure out if its needed, it would seem to take some of the programming out of what we want to do.
In addition, can you share some screen shot of how you set up the feeds in the ESM to use the Hailataxii data? When I add a feed in the cyber threat manager it only asks for a source.
thanks
Soltra we needed at one client as the feed provider required 2-way SSL auth which ESM doesn't currently support.
This isn't what you asked, but getting hailataxi data (username guest, no password) into Soltra Edge seemed relatively straightforward, and once we added it as a Site, it gave us a big list of various Feeds available. Haven't tried a direct hailataxi into ESM yet though.
I had a rather disappointing support experience with platinum today when asking about pulling a TAXII feed domain watch list in, and wanting to know whether the target watchlist for the feed should be of watchlist type domain vs web_domain. I'm continuing to look at that trying to get Soltra -> ESM domain watchlist imports to work. We got IP address sorts of goodies off FS-ISAC into Soltra yesterday and then into an ESM watchlist of type Attacker_IP.
Hi Jal
Have you managed to get Hailataxii working?
I configued it today. The IOC files downloaded are empty.
Also the following messages:
May 27 13:29:04 McAfee libJobServer.so[4231]: (29733) Info: Cyber Threat file /usr/local/ace/IOCOutput/rawIOC_2015_05_27_13_29_00_01C1762B42.xml contains no data.
Also looked at the XMl file and it is empty.
<?xml version="1.0"?>
<taxii_11:Status_Message status_type="NOT_FOUND" in_response_to="1" message_id="50992" xmlns:tdq="ht...<taxii_11:Message>
Feed not found</taxii_11:Message>
</taxii_11:Status_Message>
Anyone have this working?
We are on 9.5.0 MR2
Thanks,
Japie
Sadly, not,
I have an issue with a proxy related bug in the ESM, so I can't use it, right now. Upgrade to the latest MR pending.
Note: Soltra is the publisher of hailataxii.com ? Hailataxii and Libtaxii Demo · STIXProject/schemas Wiki · GitHub
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA