topic Re: MS-ISAC Soltra Feed? in General Topics

MS-ISAC Soltra Feed?

kevink — Tue, 09 May 2017 20:56:33 GMT

Through MS-ISAC we are able to consume a Taxii feed (I believe it originates as a Soltra Edge feed). Currently this is going straight into my palo as an EDL.

I would like to bring it in through minemeld so I can add other feeds and take advantage of the other features in MineMeld.

When I look at prototypes for Miners, I don't see any that refer to MS-ISAC. How might I go about adding this as a miner?

Thanks!

Re: MS-ISAC Soltra Feed?

lmori — Tue, 09 May 2017 22:50:13 GMT

Hi @kevink,

MS-ISAC is supported. You have to customize a TAXII Client prototype to access MS-ISAC. Let me find the instructions for you.

Re: MS-ISAC Soltra Feed?

tasano — Wed, 10 May 2017 06:55:08 GMT

Hi @lmori

My customer also would like to take advantage of the FS-ISAC data source. Could you tell me the instructions please?

Re: MS-ISAC Soltra Feed?

tschlottog — Wed, 10 May 2017 18:33:29 GMT

Kevin, I've done this before with MS-ISAC and it can absolutely be done. One thing to note though is that MS-ISAC recently moved from Soltra Edge to utilizing Anomali. They also just recently enabled the TAXII feeds on the Anomali side. I am working on doing discovery and integration now to get that operational. Basically it breaks down into a couple of steps.

1. Clone an existing TAXII prototype (hailataxii is the easiest) and input the necessary components (taxii-discovery-service, feed, etc).

2. Make sure that your initial load looks back at least 7 days if not longer to make sure you get some data. It is important to note that the feed starts the moment you start the node, there isn't anything rearward looking unless you configure it as such.

3. Create the miner/node associated with the prototype and put in your authentication credentials here. You can do it in the prototype as well, but it really isn't necessary.

4. Utilize your miner/node in the feed.

Things to point out are to make sure that you are using the correct discovery service URL and that your credentials are correct. It will take a little time to pull in and parse the data. Be patient, if you have authenticated appropriately you should have little issue. When in doubt utilize the CLI test commands on your VM in order to make sure it's going.

Re: MS-ISAC Soltra Feed?

ENCITAdmins — Wed, 31 Jan 2018 18:55:29 GMT

Luigi,

I am also trying to integrate with MS-ISAC. Can you provide instructions for customizing a TAXII client prototype to access this? Unfortunately I am having issues figuring out how to authenticate via minemeld to the TAXII feed. Please advise,