TAXII feed for SIEM

Reply
Highlighted
L2 Linker

Re: TAXII feed for SIEM

I'm trying to ingest a TAXII feed from MineMeld into STAXX. After following the guidance found in multiple posts across the community, I'm still unable to get the feed to work. I've tried various tags (anonymous, any, custom) and I've tried both a "feed" user and an admin user for authentication purposes in STAXX. The errors I keep receiving are below:

 

[2017-08-28 07:52:33,742] [ERROR] STAXX: Failed to get_feeds for site https://[REMOVED].paloaltonetworks-app.com/taxii-discovery-service, response: None

[2017-08-28 07:52:33,742] [ERROR] HTTP/1.1 500 INTERNAL SERVER ERROR

Traceback (most recent call last):

  File "taxii_stix.py", line 789, in get_feeds

  File "taxii_stix.py", line 708, in get_version_url

  File "taxii_stix.py", line 745, in discover_version

  File "taxii_stix.py", line 733, in discovery_generic

  File "taxii_stix.py", line 509, in make_request

Exception: HTTP/1.1 500 INTERNAL SERVER ERROR

[2017-08-28 07:52:33,742] [ERROR] Discovery failed.

Highlighted
L7 Applicator

Re: TAXII feed for SIEM

Hi @jhopple,

could you send me the minemeld-web.log here or at minemeld@paloaltonetworks.com ?

 

Thanks,

luigi

Highlighted
L0 Member

Re: TAXII feed for SIEM

@jhopple did you manage to work out a solution for using STAXX to access MineMeld via a TAXII feed? I'm trying to do this too and get the same error as you.

Highlighted
L2 Linker

Re: TAXII feed for SIEM

Not yet, since the last STAXX update, I'm no longer getting the internal server error. However, I am now getting an HTTP/1.1 401 UNAUTHORIZED error. To recap, the same feed URL and credentials work fine from other TAXII clients/servers.

Highlighted
L2 Linker

Re: TAXII feed for SIEM

@lmori

 

Sorry for the delayed response, I keep forgetting to check the forum while working on this. I'm currently using the hosted version of MineMeld (Autofocus app). How do I pull these specific logs? I attempted to access the log dashboard and search for "minemeld-web.log" but it did not return any results. 

Highlighted
L2 Linker

Re: TAXII feed for SIEM

@vedd3r I noticed in another thread that you're using MineMeld and STAXX. Have you by chance had any luck ingesting a MineMeld taxii feed into STAXX?

L2 Linker

Re: TAXII feed for SIEM

@jhopple

 

I've used STAXX just to confirmed whether the PhishTank feeds was actually sending in data. I will give it a try on my test system and will revert back soon.

Highlighted
L7 Applicator

Re: TAXII feed for SIEM

Hi @vedd3r@jhopple,

I think I have found the issue and it could on a lag in the clocks. @soc_enav suggested an improvement in the TAXII Miner logic, we are currently testing and if it works as expected I will introduce it in an HotFix for MineMeld.

I am sorry it took so long, but it's not super easy to reproduce the problem.

Highlighted
L2 Linker

Re: TAXII feed for SIEM

@lmori

I can understand the issue with reproducing since it seems to be heavily tied to STAXX. Is there an unofficial guestimate on when a hot fix will be pushed? Any possible unofficial/unsupported work arounds in the mean time?
Highlighted
L7 Applicator

Re: TAXII feed for SIEM

Hi @jhopple,

it will be released by the end of the next week. In the mean time, if you are in a hurry, you could test the new TAXII MIner external extension: https://github.com/PaloAltoNetworks/minemeld-taxii-ng

 

It can be installed as any external extension:

- System > External Extensions

- Press on the git button

- Paste the URL https://github.com/PaloAltoNetworks/minemeld-taxii-ng.git

- Select the latest release (0.1b4 at the time of writing) and click install

- Click on the activate button

- After the extension has been activated you will find a new phishtank prototype (taxiing.phishtank) in the prototype list, just clone it into a new node

 

Thanks,

luigi

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!