cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
salty
Level 7
Report Inappropriate Content
Message 1 of 4
‎11-12-2020 06:36 AM

Ingest STIX data from an Amazon S3 bucket

Jump to solution
I wish to pull STIX 2.0 JSON formatted logs from an Amazon S3 Bucket into the SIEM. Is there any guidance on how I can achieve this? We are not an Amazon customer but a solution we use from a 3rd party dumps its data into an S3 that we have access to.
0 Kudos
Reply
1 Solution

Accepted Solutions
pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4
‎11-12-2020 07:39 AM

Re: Ingest STIX data from an Amazon S3 bucket

Jump to solution

For STIX 1.1 xml format we can configure Cyber Threat Feeds in the ESM properties and send it to the IOC (Indicator of Compromise) engine.

We can then setup watchlists for the respective cyber thread feeds and view the feeds on the dashboard as well as generate alarms.

I may need to check internally on converting the STIX 2.0 format.

View solution in original post

0 Kudos
Reply
3 Replies
pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎11-12-2020 07:09 AM

Re: Ingest STIX data from an Amazon S3 bucket

Jump to solution

We do not support STIX 2.0 JSON format.

Currently, we support only STIX 1.1 in XML format.

This would be a productive enhancement request as per KB60021.

Regards,

 

Prashanth B Pillai

Mcafee Technical Support 

Customer Success Group

0 Kudos
Reply
salty
Level 7
Report Inappropriate Content
Message 3 of 4
‎11-12-2020 07:22 AM

Re: Ingest STIX data from an Amazon S3 bucket

Jump to solution

Thanks. Added STIX 2 as an idea.

However I still want to get data out of an S3 bucket, convert from STIX 2 into a format the SIEM likes, and get it into the SIEM. Any suggestions?

Do I need to start thinking about things like using logstash to pull the data, convert it, store it somewhere the SIEM can access?

0 Kudos
Reply
pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4
‎11-12-2020 07:39 AM

Re: Ingest STIX data from an Amazon S3 bucket

Jump to solution

For STIX 1.1 xml format we can configure Cyber Threat Feeds in the ESM properties and send it to the IOC (Indicator of Compromise) engine.

We can then setup watchlists for the respective cyber thread feeds and view the feeds on the dashboard as well as generate alarms.

I may need to check internally on converting the STIX 2.0 format.

View solution in original post

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC