cancel
Showing results for 
Search instead for 
Did you mean: 
otsruss
Level 7
Report Inappropriate Content
Message 1 of 25

Cyber Threat Feeds

I have been testing the new 9.5.0 “Cyber Threat Feeds” functionality, and am looking for feedback. I have created several partner feeds (TAXII) to pull indicators and populate Watchlists by type.  As expected, we can utilize the Watchlists in correlation rules, filters, etc., but I am more interested in new functionality. Some observations:

1)      1) A back trace search is done for each individual observable in an indicator. For example; An indicator contains MD5 and FileName. The back trace will search for each MD5 and each FileName. Would an indicator to correlation rule make more sense?  

2)      2) I have developed a process to create STIX formatted indicators from SIEM alarms and push to a TAXII feed. Should this not be an alarm option?

3)     

Tw     3) Two-Way SSL support for feeds?

All in all, the new “Cyber Threat Feeds” functionality is a step in the right direction.

Comments?

Regards,

Joe

24 Replies
nikunjs
Level 7
Report Inappropriate Content
Message 2 of 25

Re: Cyber Threat Feeds

Hi Joe,

Do you have any documentation on how did you import TAXII feeds and can you please share process to create STIX formatted indicators from SIEM alarms to push to a TAXII feed?

My email is nikunj_shah@mcafee.com.

Thanks,

Nikunj.

otsruss
Level 7
Report Inappropriate Content
Message 3 of 25

Re: Cyber Threat Feeds

Hello Nikunj,

The documentation is pretty straightforward. I have a feed (site) to an external partner to poll for new indicators\observables. I then have a feed (DB query) defined to allow the SIEM (9.5) to pull the indicators, append to watchlist, backtrace, log event, notify, etc.;  all pretty simple. The reverse is a little more tricky. I use alarms to trigger remote commands to a Unix VM. I then collect the event\alarm fields to populate (Perl) cyber observables (CybOX) with the resultant STIX XML being pushed (Python) to the TAXII sever. I then have a feed (DB query) for consumption by external partners. All this allows for sharing of indicators in real-time.

Regards,

Joe

Re: Cyber Threat Feeds

Is the feed you are using a commercial one that you need to subscribe to, a free feed or partner feed that allows you to access without payment?

I have been having trouble finding a feed to use in our McAfee ESM.

jal
Level 9
Report Inappropriate Content
Message 5 of 25

Re: Cyber Threat Feeds

This one is free

hail a taxii

feeeds
Level 9
Report Inappropriate Content
Message 6 of 25

Re: Cyber Threat Feeds

Have you guys looked at this app at all?   I am trying to figure out if its needed, it would seem to take some of the programming out of what we want to do.

In addition, can you share some screen shot of how you set up the feeds in the ESM to use the Hailataxii data? When I add a feed in the cyber threat manager it only asks for a source.

thanks

https://soltra.com/

jal
Level 9
Report Inappropriate Content
Message 7 of 25

Re: Cyber Threat Feeds

From what I understand, Soltra is a TAXII implementation.

So it would make sense to get a Soltra/TAXII installation on premises.

Regis
Level 12
Report Inappropriate Content
Message 8 of 25

Re: Cyber Threat Feeds


feeeds wrote:



Have you guys looked at this app at all?   I am trying to figure out if its needed, it would seem to take some of the programming out of what we want to do.


In addition, can you share some screen shot of how you set up the feeds in the ESM to use the Hailataxii data? When I add a feed in the cyber threat manager it only asks for a source.



thanks


https://soltra.com/


Soltra we needed at one client as the feed provider required 2-way SSL auth which ESM doesn't currently support.

This isn't what you asked, but getting hailataxi data  (username guest,  no password)  into Soltra Edge seemed relatively straightforward, and once we added it as a Site,  it gave us a big list of various Feeds available.   Haven't tried a direct hailataxi into ESM yet though. 

I had a rather disappointing support experience with platinum today when asking about pulling a TAXII feed domain watch list in,  and wanting to know whether the target watchlist for the feed should be of watchlist type domain vs web_domain.    I'm continuing to look at that trying to get Soltra -> ESM  domain watchlist imports to work.     We got IP address sorts of goodies off FS-ISAC into Soltra yesterday and  then into an ESM watchlist of type Attacker_IP.  

soltra.PNG

japie
Level 9
Report Inappropriate Content
Message 9 of 25

Re: Cyber Threat Feeds

Hi Jal

Have you managed to get Hailataxii working?

I configued it today. The IOC files downloaded are empty.

Also the following messages:

May 27 13:29:04 McAfee libJobServer.so[4231]: (29733) Info: Cyber Threat file /usr/local/ace/IOCOutput/rawIOC_2015_05_27_13_29_00_01C1762B42.xml contains no data.

Also looked at the XMl file and it is empty.

<?xml version="1.0"?>

<taxii_11Smiley Frustratedtatus_Message status_type="NOT_FOUND" in_response_to="1" message_id="50992" xmlns:tdq="http...<taxii_11:Message>

Feed not found</taxii_11:Message>

</taxii_11Smiley Frustratedtatus_Message>

Anyone have this working?

We are on 9.5.0 MR2


Thanks,

Japie

jal
Level 9
Report Inappropriate Content
Message 10 of 25

Re: Cyber Threat Feeds

Sadly, not,

I have an issue with a proxy related bug in the ESM, so I can't use it, right now. Upgrade to the latest MR pending.

Note: Soltra is the publisher of hailataxii.com  ? Hailataxii and Libtaxii Demo · STIXProject/schemas Wiki · GitHub