Do you have any documentation on how did you import TAXII feeds and can you please share process to create STIX formatted indicators from SIEM alarms to push to a TAXII feed?
My email is email@example.com.
The documentation is pretty straightforward. I have a feed (site) to an external partner to poll for new indicators\observables. I then have a feed (DB query) defined to allow the SIEM (9.5) to pull the indicators, append to watchlist, backtrace, log event, notify, etc.; all pretty simple. The reverse is a little more tricky. I use alarms to trigger remote commands to a Unix VM. I then collect the event\alarm fields to populate (Perl) cyber observables (CybOX) with the resultant STIX XML being pushed (Python) to the TAXII sever. I then have a feed (DB query) for consumption by external partners. All this allows for sharing of indicators in real-time.
Is the feed you are using a commercial one that you need to subscribe to, a free feed or partner feed that allows you to access without payment?
I have been having trouble finding a feed to use in our McAfee ESM.
Have you guys looked at this app at all? I am trying to figure out if its needed, it would seem to take some of the programming out of what we want to do.
In addition, can you share some screen shot of how you set up the feeds in the ESM to use the Hailataxii data? When I add a feed in the cyber threat manager it only asks for a source.
Have you managed to get Hailataxii working?
I configued it today. The IOC files downloaded are empty.
Also the following messages:
May 27 13:29:04 McAfee libJobServer.so: (29733) Info: Cyber Threat file /usr/local/ace/IOCOutput/rawIOC_2015_05_27_13_29_00_01C1762B42.xml contains no data.
Also looked at the XMl file and it is empty.
<taxii_11:Status_Message status_type="NOT_FOUND" in_response_to="1" message_id="50992" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1"><taxii_11:Message>
Feed not found</taxii_11:Message>
Anyone have this working?
We are on 9.5.0 MR2
I have an issue with a proxy related bug in the ESM, so I can't use it, right now. Upgrade to the latest MR pending.
Note: Soltra is the publisher of hailataxii.com ? Hailataxii and Libtaxii Demo · STIXProject/schemas Wiki · GitHub
From what I understand, Soltra is a TAXII implementation.
So it would make sense to get a Soltra/TAXII installation on premises.
I was able to get two of the TAXII feeds to work as you stated. The test connectivity works, but the file downloads are empty. I set up both the malwareDomainList and the dshield blocklist.