TAXII feed for SIEM

Reply
L4 Transporter

TAXII feed for SIEM

Hi,

 

I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.

Tags (1)
L7 Applicator

Re: TAXII feed for SIEM

Hi Sly_Cooper,

what SIEM are you working with ?

Can your SIEM retrieve (pull) indicators from MineMeld via TAXII ? Or should MineMeld push indicators to the SIEM using TAXII ?

L4 Transporter

Re: TAXII feed for SIEM

@lmori we use McAfee ESM. We already have one thread feed configured for hailataxii feed (http://hailataxii.com/taxii-discovery-service). The current feed is configured as POST (and Collection Name). I dont see any URL to pull the data the way it is for DBL based output nodes.

L7 Applicator

Re: TAXII feed for SIEM

Hi Sly_Cooper,

default output nodes do not support TAXII. But you can create new output nodes based on stdlib.taxiiDataFeed and attach them to your aggregators to support TAXII.

Then you can query the MineMeld TAXII Discover Service at https://<minemeld>/taxii-discovery-service to retrieve the list of currently configured TAXII feeds.

 

I am working on the documentation for the TAXII output nodes, stay tuned :-)

L4 Transporter

Re: TAXII feed for SIEM

@lmori Thank you.

I have configured custom aggregator node based on stlib.aggregatorIPv4Generic and custom output node based on stdlib.taxiiDataFeed. I am using DShild block list as miner. The SIEM just says Error and hostname while adding feed.

 

I am also suspecting issue with self signed ssl cert.

L7 Applicator

Re: TAXII feed for SIEM

Please, could you post the full error message you get back from the SIEM ?

L4 Transporter

Re: TAXII feed for SIEM

Hi @lmori,

 

The web ui just shows "Error and hostname on next line" when we try "Test Connection". I will see if there is way to get raw log from the system.

L7 Applicator

Re: TAXII feed for SIEM

Hi Sly_Cooper,

I don't have access to a McAfee SIEM but this config should work:

 

Type: TAXII

URL: https://<minemeldip>/taxii-discovery-service

Authentication: None

Method: POST

Ignore Invalid Certificate: Checked (if you have changed the cet with a valid one you should uncheck this)

Collection Name: <name of the TAXII output node>

 

 

Highlighted
L4 Transporter

Re: TAXII feed for SIEM

@lmori

 

I have configured the required settings. Here is the new error.

 

ERROR
Error issuing TAXII request, HTTP response code: 400: Missing X-Server header

L7 Applicator

Re: TAXII feed for SIEM

Hi Sly_Cooper,

thanks for the additional log. I have found the issue, it's an oversight in the nginx config. It will be fixed in the next release.

Meanwhile as a workaround you can edit the file /opt/minemeld/local/config/wsgi.yml and add the TAXII_HOST variable. The value should be the IP address of your MineMeld instance. Example if your MineMeld instance has IP 192.168.55.172:

 

# this should be commented in production !
DEBUG: true

API_AUTH_ENABLED: true
USERS_DB: wsgi.htpasswd

SUPERVISOR_URL: "unix:///opt/minemeld/local/supervisor/run/minemeld.sock"

TAXII_HOST: 192.168.55.172

 

After changing the file you should reload MineMeld Web API using the command:

 

sudo -u minemeld /opt/minemeld/engine/current/bin/supervisorctl -c /opt/minemeld/local/supervisor/config/supervisord.conf restart minemeld-web

 

Thanks !

luigi

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!