AlienVault taxii miner versus prebuilt reputation data miner

Reply
L3 Networker

AlienVault taxii miner versus prebuilt reputation data miner

AlientVault has the OTX with a taxii feed configuration which looks like it could be handy. However the miner for the alienvault reputation has a link which 404's. Does anyone have any idea if this overlaps?

 

Also the AlienVault taxii feed would require an API key, I'm not entirely sure how to set up a new miner for taxii which requires an API key.

L7 Applicator

Re: AlienVault taxii miner versus prebuilt reputation data miner

Hi @chirss,

the link for the alienvault reputation works for me.

 

Do you have more details about the OTX TAXII feed ? a config guide ?

 

Thanks,

luigi

L1 Bithead

Re: AlienVault taxii miner versus prebuilt reputation data miner

Hey guys,

 

Taxii url for otx: https://otx.alienvault.com/taxii/discovery

 If you don't enter any API key it will still work - you'll just get the default feeds.

 

If you'd like to customise the feeds, then you should enter you api key in the username field.

 

Docs: https://www.alienvault.com/blogs/security-essentials/otx-is-now-a-free-stix-taxii-server

 

Cheers,

L7 Applicator

Re: AlienVault taxii miner versus prebuilt reputation data miner

I have done a quick test on the public feed:

- select an existing TAXII prototype (anything starting with hailataxii)

- click NEW

- copy & paste the following config in the CONFIG section

age_out:
    default: 30d
    sudden_death: false
attributes:
    confidence: 30
    share_level: green
client_credentials_required: false
collection: user_AlienVault
discovery_service: https://otx.alienvault.com/taxii/discovery
source_name: alienvault.user_AlienVault
initial_interval: 7d

- create a new node with CLONE from the new prototype

 

Result

 

There is a bug in the AV TAXII Server, it announces indicators in STIX 1.1 format while the content is using STIX 1.1.1. MineMeld throws an error. I have done a quick test and after removing the check the indicators are successfully extracted.

 

Do you know someone in AlienVault we can work with to fix this ? Otherwise I can just add a flag in the TAXII Miner config to disable the check.

L3 Networker

Re: AlienVault taxii miner versus prebuilt reputation data miner

One of the people involved is actually fairly active in responding on the twitters. I'll reply to him and point him to this thread.

L1 Bithead

Re: AlienVault taxii miner versus prebuilt reputation data miner

Thanks @chrisf

 

Looks like we've fixed this already in our development environment, and a fix should be released next week.

 

It'd be great to test it first though - if anyone here can e-mail us at otx-support@alienvault.com we can send you the development Taxii feed address to check that everything is working correctly.

 

Cheers :)

L7 Applicator

Re: AlienVault taxii miner versus prebuilt reputation data miner

Hi @chrisdoman,

could you send me the address at lmori@paloaltonetworks.com ? I would be happy to test and adapt MineMeld if needed.

 

Thanks!

luigi

L3 Networker

Re: AlienVault taxii miner versus prebuilt reputation data miner

Is there benefit to going through the steps for the api key?

L1 Bithead

Re: AlienVault taxii miner versus prebuilt reputation data miner

@chirss Yes if you sign up then you can choose to follow additional users, beyond the default main account. That means you get more indicators.

 

I haven't checked (I'm away at the moment) but I believe this should work now

L7 Applicator

Re: AlienVault taxii miner versus prebuilt reputation data miner

Just checked and it works now. For the public feed follow the procedure:

- in the prototype library, click on one of the TAXII prototypes (like hailataxii.guest_Abuse_ch) and press NEW

- copy & paste the following config in the CONFIG part of the prototype. Press OK

 

age_out:
    default: 30d
    sudden_death: false
attributes:
    confidence: 30
    share_level: green
client_credentials_required: true
collection: user_AlienVault
discovery_service: https://otx.alienvault.com/taxii/discovery
initial_interval: 7d
source_name: alienvault.otx

- CLONE the new prototype into a node and COMMIT

 

After the COMMIT you can click on the new Miner under NODES to specify the credentials. For the public feed you can use whatever you want.

 

You can use the same prototype with different collection names to retrieve indicators from the private feeds, you'll need to specify the API Key as username in the Miner

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!