cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 4

Ingest STIX data from an Amazon S3 bucket

Jump to solution
I wish to pull STIX 2.0 JSON formatted logs from an Amazon S3 Bucket into the SIEM. Is there any guidance on how I can achieve this? We are not an Amazon customer but a solution we use from a 3rd party dumps its data into an S3 that we have access to.
1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Ingest STIX data from an Amazon S3 bucket

Jump to solution

For STIX 1.1 xml format we can configure Cyber Threat Feeds in the ESM properties and send it to the IOC (Indicator of Compromise) engine.

We can then setup watchlists for the respective cyber thread feeds and view the feeds on the dashboard as well as generate alarms.

I may need to check internally on converting the STIX 2.0 format.

View solution in original post

3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Ingest STIX data from an Amazon S3 bucket

Jump to solution

We do not support STIX 2.0 JSON format.

Currently, we support only STIX 1.1 in XML format.

This would be a productive enhancement request as per KB60021.

Regards,

 

Prashanth B Pillai

Mcafee Technical Support 

Customer Success Group

Level 7
Report Inappropriate Content
Message 3 of 4

Re: Ingest STIX data from an Amazon S3 bucket

Jump to solution

Thanks. Added STIX 2 as an idea.

However I still want to get data out of an S3 bucket, convert from STIX 2 into a format the SIEM likes, and get it into the SIEM. Any suggestions?

Do I need to start thinking about things like using logstash to pull the data, convert it, store it somewhere the SIEM can access?

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Ingest STIX data from an Amazon S3 bucket

Jump to solution

For STIX 1.1 xml format we can configure Cyber Threat Feeds in the ESM properties and send it to the IOC (Indicator of Compromise) engine.

We can then setup watchlists for the respective cyber thread feeds and view the feeds on the dashboard as well as generate alarms.

I may need to check internally on converting the STIX 2.0 format.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community