cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12
Report Inappropriate Content
Message 11 of 25

Re: Cyber Threat Feeds


jal wrote:



Sadly, not,


I have an issue with a proxy related bug in the ESM, so I can't use it, right now. Upgrade to the latest MR pending.



Note: Soltra is the publisher of hailataxii.com  ? Hailataxii and Libtaxii Demo · STIXProject/schemas Wiki · GitHub


Curious what was your bug?   It's a real pain in the butt that ESM doesn't seem to have a notion of a proxy exception list so that all the traffic from ESM to my local Soltra Edge instance doesn't go through my internet web proxies.

feeeds
Level 9
Report Inappropriate Content
Message 12 of 25

Re: Cyber Threat Feeds

I was able to get two of the TAXII feeds to work as you stated. The test connectivity works, but the file downloads are empty. I set up both the malwareDomainList and the dshield blocklist.

Re: Cyber Threat Feeds

Has anyone been able to successfully set up Soltra Edge VM to consume FS-ISAC threat feeds and then TAXII  those threat feeds from Soltra Edge into the ESM?It is my understanding that you have to setup a special repo account to get FS-ISAC and Soltra Edge to play nice together but can you TAXII those threat feeds from Soltra Edge into the ESM?

feeeds
Level 9
Report Inappropriate Content
Message 14 of 25

Re: Cyber Threat Feeds

That was going to be my question as well.  Further, would you even need to, or can you config the ESM to pull direct from FS-ISAC with this repo account ?

Re: Cyber Threat Feeds

Thats what I was thinking but my coworker reached out to FS-ISAC and they said we needed to set up a "repo account" and they are supposed to send some SSL key to load into Soltra Edge to authorize the threat feed to work. It would be much easier to cut out the middle man and go straight to the ESM though.

Regis
Level 12
Report Inappropriate Content
Message 16 of 25

Re: Cyber Threat Feeds


nitroman wrote:



Thats what I was thinking but my coworker reached out to FS-ISAC and they said we needed to set up a "repo account" and they are supposed to send some SSL key to load into Soltra Edge to authorize the threat feed to work. It would be much easier to cut out the middle man and go straight to the ESM though.



Hi Nitroman,

I've worked with an FS-ISAC shop through this and am continuing to learn.   What I know thus far is you will need to reach out to FS-ISAC and request an account for repository access (this is done via email).  They will send qualifying members  a username, a password, and an SSL cert. 

You can't use ESM directly to consume the FS-ISAC TAXII feed  (which kinda blows) because of the client-side SSL cert requirement that FS-ISAC imposes on their feed. ESM at least as of 9.5.x doesn't support that natively best I can divine.    So you need the goofy Soltra VM (and its attendant limitations on proxy support that are currently driving me a little batty -- system proxy settings for the soltra VM lacks the ability to specify a custom proxy port for adapters, though it does support a custom proxy port for feeds),   the Soltra Edge  setup does support 2 way SSL auth and username/password... then once the intel feed is down on the Soltra  Edge VM,   you would point ESM   to a URL on the soltra edge vm  to consume the taxii feed from there.     

Note that the "Collection Name" field in  ESM's Cyber Threat Feed Wizard  needs to match the "Feed Name"   in Soltra Edge.    The URL you provide in the ESM wizard will be   something like  http://soltraedge.yourcompany.com/taxii-discovery-service

There's a step by step on soltra  Getting Started with Soltra Edge — Soltra Documentation documentation    once you get your repo account info from the fsisac folks.

HTH.  Please share back any other tips/tricks you've found!

jal
Level 9
Report Inappropriate Content
Message 17 of 25

Re: Cyber Threat Feeds

hi , would you be able to screencap and share the config that works for hailataxii.com?

thanks

feeeds
Level 9
Report Inappropriate Content
Message 18 of 25

Re: Cyber Threat Feeds

Here you go. It connects successfully, but the watchlist is empty that it's supposed to populate.

hailataxii-SC.JPG

xded
Level 12
Report Inappropriate Content
Message 19 of 25

Re: Cyber Threat Feeds

My watchlist has values. But its dificult to know which indicator type is used by Hail TAXII

cyberthread.png

cyberthread2.png

cyberthread3.png

The conecction test is very slow but the test is succesful and the watchlist is updated with data.

Re: Cyber Threat Feeds

Hello, guys

What does "Collection Name" mean in Cyber Threat Feed Wizard ?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community