https://live.paloaltonetworks.com/t5/general-topics/how-do-you-setup-fs-isac-stix-taxii-feeds-to-minemeld/m-p/409912#M95261 <P>I was following this thread here:</P> <P><A href="https://live.paloaltonetworks.com/t5/minemeld-discussions/fs-isac-new-stix-taxii-feeds/td-p/334068" target="_blank">https://live.paloaltonetworks.com/t5/minemeld-discussions/fs-isac-new-stix-taxii-feeds/td-p/334068</A></P> <P>&nbsp;</P> <P>But nobody responded to my question so I'm starting a new thread hopefully to gain some visibility.&nbsp; We've upped our membership with FS-ISAC which comes with an added annual fee, so being that we are paying for this service we want to get it to work with minemeld so we can have dynamic lists pushed into PA firewalls.</P> <P>&nbsp;</P> <P>If you look at the thread I posted above you can see some configuration guidance, however, a lot of the details are blurred out.&nbsp; I have a quick reference guide from FS-ISAC and it shows 3 URL's for 3 different versions of TAXII.</P> <P>TAXII 1.1&nbsp;</P> <P>&nbsp;- Discovery Service</P> <P>&nbsp;- Collection Service</P> <P>&nbsp;- Poll Serivce</P> <P>TAXII 2.0&nbsp;</P> <P>&nbsp;- Discovery Service</P> <P>&nbsp;- Collection Service</P> <P>&nbsp;- Poll Serivce</P> <P>TAXII 2.1</P> <P>&nbsp;- Discovery Service</P> <P>&nbsp;- Collection Service</P> <P>&nbsp;- Poll Serivce</P> <P>&nbsp;</P> <P>My first question is which URL(s) am I supposed to use?&nbsp; Which version and which one (Discovery, Collection or poll)?</P> <P>Next on the second page they have whats called FS-ISAC STIX/TAXII Collections (as of August 4, 2020).&nbsp; They have TAXII1.0 collection names in plain englisth, like automated-high-gw for example.&nbsp; They also have a column for TAXII2.x Collection ID which looks more like a long GUID identifier than anything legible.&nbsp; Finally the third column is a description.</P> <P>Am I supposed to pick one of these and put its Collection Name and / or ID somewhere?&nbsp; How do you know which one to pick?&nbsp; Something like curated-ragw says "Group packages containing analyst-created cyber threat intelligence with TLP values RED,AMBER,GREEN, and WHITE".&nbsp; Would that be a good one?</P> <P>&nbsp;</P> <P>Whatever I've tried I just get an error timed out in the last run column in minemeld.&nbsp; I even waited a week for FS-ISAC to get our IP addresses in their ip whitelist.&nbsp;&nbsp;</P> <P><BR />Appreciate any help you have.</P> Fri, 28 May 2021 20:42:51 GMT ksauer507 2021-05-28T20:42:51Z https://live.paloaltonetworks.com/t5/general-topics/how-do-you-setup-fs-isac-stix-taxii-feeds-to-minemeld/m-p/409912#M95261 <P>I was following this thread here:</P> <P><A href="https://live.paloaltonetworks.com/t5/minemeld-discussions/fs-isac-new-stix-taxii-feeds/td-p/334068" target="_blank">https://live.paloaltonetworks.com/t5/minemeld-discussions/fs-isac-new-stix-taxii-feeds/td-p/334068</A></P> <P>&nbsp;</P> <P>But nobody responded to my question so I'm starting a new thread hopefully to gain some visibility.&nbsp; We've upped our membership with FS-ISAC which comes with an added annual fee, so being that we are paying for this service we want to get it to work with minemeld so we can have dynamic lists pushed into PA firewalls.</P> <P>&nbsp;</P> <P>If you look at the thread I posted above you can see some configuration guidance, however, a lot of the details are blurred out.&nbsp; I have a quick reference guide from FS-ISAC and it shows 3 URL's for 3 different versions of TAXII.</P> <P>TAXII 1.1&nbsp;</P> <P>&nbsp;- Discovery Service</P> <P>&nbsp;- Collection Service</P> <P>&nbsp;- Poll Serivce</P> <P>TAXII 2.0&nbsp;</P> <P>&nbsp;- Discovery Service</P> <P>&nbsp;- Collection Service</P> <P>&nbsp;- Poll Serivce</P> <P>TAXII 2.1</P> <P>&nbsp;- Discovery Service</P> <P>&nbsp;- Collection Service</P> <P>&nbsp;- Poll Serivce</P> <P>&nbsp;</P> <P>My first question is which URL(s) am I supposed to use?&nbsp; Which version and which one (Discovery, Collection or poll)?</P> <P>Next on the second page they have whats called FS-ISAC STIX/TAXII Collections (as of August 4, 2020).&nbsp; They have TAXII1.0 collection names in plain englisth, like automated-high-gw for example.&nbsp; They also have a column for TAXII2.x Collection ID which looks more like a long GUID identifier than anything legible.&nbsp; Finally the third column is a description.</P> <P>Am I supposed to pick one of these and put its Collection Name and / or ID somewhere?&nbsp; How do you know which one to pick?&nbsp; Something like curated-ragw says "Group packages containing analyst-created cyber threat intelligence with TLP values RED,AMBER,GREEN, and WHITE".&nbsp; Would that be a good one?</P> <P>&nbsp;</P> <P>Whatever I've tried I just get an error timed out in the last run column in minemeld.&nbsp; I even waited a week for FS-ISAC to get our IP addresses in their ip whitelist.&nbsp;&nbsp;</P> <P><BR />Appreciate any help you have.</P> Fri, 28 May 2021 20:42:51 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-you-setup-fs-isac-stix-taxii-feeds-to-minemeld/m-p/409912#M95261 ksauer507 2021-05-28T20:42:51Z https://live.paloaltonetworks.com/t5/general-topics/how-do-you-setup-fs-isac-stix-taxii-feeds-to-minemeld/m-p/411914#M95262 <P>Wow I must have stumped this forum, or maybe the start of summer everyone is out on vacation or something.</P> Tue, 08 Jun 2021 20:20:30 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-you-setup-fs-isac-stix-taxii-feeds-to-minemeld/m-p/411914#M95262 ksauer507 2021-06-08T20:20:30Z https://live.paloaltonetworks.com/t5/general-topics/how-do-you-setup-fs-isac-stix-taxii-feeds-to-minemeld/m-p/470919#M103046 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/178800">@ksauer507</a>&nbsp;you should use the URL of TAXII 1.1 discovery service, and use the TAXII 1.1 collection names.</P> Mon, 07 Mar 2022 14:46:39 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-you-setup-fs-isac-stix-taxii-feeds-to-minemeld/m-p/470919#M103046 lmori 2022-03-07T14:46:39Z