topic Re: SWIFT ISAC TAXII Feed in General Topics

SWIFT ISAC TAXII Feed

Sberbank-IT — Fri, 27 Apr 2018 13:15:54 GMT

Hi guys

I’m’ just curious – SWIFT has offered recently for all members TAXII interface to poll IOCs via https://taxii.swift.com/taxii

Feed is not open for everybody – each member must request access to it individually, so it’s not easy to test it. Has anybody already tried it? My simple attempt to use “minemeld.ft.taxii.TaxiiClient” class to build own prototype failed.

After defining username, password, discovery URL, collection - >I can only see the error message in nodes list.

SWIFT suggest to use Cabby Python library

STIX version used is 1.2

Any ideas suggestions, experience?

Cheers

Slava

P.S. MineMeld is a great tool!

Re: SWIFT ISAC TAXII Feed

lmori — Fri, 04 May 2018 08:27:49 GMT

Hi Salva,

I haven't tested the SWIFT feed yet. If you are interested in working on this together, could you send me an email at lmori@paloaltonetworks.com or a message over the pan-community Slack team?

Re: SWIFT ISAC TAXII Feed

iThreatHunt — Wed, 09 May 2018 04:11:38 GMT

Hi Guy,

Any update?

I am interested in pulling data from SWIFT too.

Re: SWIFT ISAC TAXII Feed

Sberbank-IT — Mon, 14 May 2018 12:03:03 GMT

Hi all

I'm playing now with Anomali STAXX Version 3.4 as TAXII client - hope to see this working first. I hope, this is the easy way to start with.

Right now it looks like SWIFT has not defined all required permissions for tools using "Discovery" logic

I have an open case with SWIFT, Case N: 11074471 - if you need the reference. Investigation is in progress.

I will come back to MineMeld as soon as I see STAXX working.

Vyacheslav

Re: SWIFT ISAC TAXII Feed

Sberbank-IT — Tue, 12 Jun 2018 06:56:25 GMT

Hi Guys

Just a quick update from my side – feed still doesn’t work with basic Anomaly STAXX client configuration

SWIFT and Anomaly working with joined efforts to find a solution here.

As soon as I test it on our STAXX instance – we can continue with MineMeld configuration

Cheers

Vyacheslav

Re: SWIFT ISAC TAXII Feed

Sberbank-IT — Wed, 25 Jul 2018 08:12:09 GMT

Hi guys,

Just a quick update from my side. Even though the news is rather frustrating:

Anomali STAXX 3.4 still can’t get the feed.
Minemeld report error: “SWIFT-ISAC does not support TAXII 1.1 messages binding (DATA_FEED)”

It looks like SWIFT accept TAXII v2.0 only and both system struggle to support this protocol.

Does anybody know anything about TAXII v2.0 support in MineMeld?

Have a great, stable day

Slava

Re: SWIFT ISAC TAXII Feed

Sberbank-IT — Wed, 17 Feb 2021 16:24:08 GMT

If it' relevant for anybody - I have jests tested:

- fresh Ubuntu 16 LTSB installation with all security patches

- Minemeld 0.9.70

- Downloaded new TAXII miner, following instructions from https://live.paloaltonetworks.com/t5/minemeld-discussions/fs-isac-new-stix-taxii-feeds/td-p/334068 (ver. 0.2a4 is fine)

All works fine as I can see 🙂

Good luck for everybody

Slava

Config of the SWIFT ISAC prototype:

age_out:
default: null
interval: 3600
sudden_death: false
attributes:
confidence: 100
share_level: red
collection: SWIFT-ISAC
discovery_service: https://taxii.swift.com/taxii/discovery
initial_interval: 365d
password: your_pass
username: api_user_your_account
verify_cert: true