AlientVault has the OTX with a taxii feed configuration which looks like it could be handy. However the miner for the alienvault reputation has a link which 404's. Does anyone have any idea if this overlaps?
Also the AlienVault taxii feed would require an API key, I'm not entirely sure how to set up a new miner for taxii which requires an API key.
Solved! Go to Solution.
the link for the alienvault reputation works for me.
Do you have more details about the OTX TAXII feed ? a config guide ?
Taxii url for otx: https://otx.alienvault.com/taxii/discovery
If you don't enter any API key it will still work - you'll just get the default feeds.
If you'd like to customise the feeds, then you should enter you api key in the username field.
I have done a quick test on the public feed:
- select an existing TAXII prototype (anything starting with hailataxii)
- click NEW
- copy & paste the following config in the CONFIG section
age_out: default: 30d sudden_death: false attributes: confidence: 30 share_level: green client_credentials_required: false collection: user_AlienVault discovery_service: https://otx.alienvault.com/taxii/discovery source_name: alienvault.user_AlienVault
- create a new node with CLONE from the new prototype
There is a bug in the AV TAXII Server, it announces indicators in STIX 1.1 format while the content is using STIX 1.1.1. MineMeld throws an error. I have done a quick test and after removing the check the indicators are successfully extracted.
Do you know someone in AlienVault we can work with to fix this ? Otherwise I can just add a flag in the TAXII Miner config to disable the check.
One of the people involved is actually fairly active in responding on the twitters. I'll reply to him and point him to this thread.
Looks like we've fixed this already in our development environment, and a fix should be released next week.
It'd be great to test it first though - if anyone here can e-mail us at firstname.lastname@example.org we can send you the development Taxii feed address to check that everything is working correctly.
could you send me the address at email@example.com ? I would be happy to test and adapt MineMeld if needed.
@chirss Yes if you sign up then you can choose to follow additional users, beyond the default main account. That means you get more indicators.
I haven't checked (I'm away at the moment) but I believe this should work now
Just checked and it works now. For the public feed follow the procedure:
- in the prototype library, click on one of the TAXII prototypes (like hailataxii.guest_Abuse_ch) and press NEW
- copy & paste the following config in the CONFIG part of the prototype. Press OK
age_out: default: 30d sudden_death: false attributes: confidence: 30 share_level: green client_credentials_required: true collection: user_AlienVault discovery_service: https://otx.alienvault.com/taxii/discovery initial_interval: 7d source_name: alienvault.otx
- CLONE the new prototype into a node and COMMIT
After the COMMIT you can click on the new Miner under NODES to specify the credentials. For the public feed you can use whatever you want.
You can use the same prototype with different collection names to retrieve indicators from the private feeds, you'll need to specify the API Key as username in the Miner
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!