05-17-2017 08:21 AM
AlientVault has the OTX with a taxii feed configuration which looks like it could be handy. However the miner for the alienvault reputation has a link which 404's. Does anyone have any idea if this overlaps?
Also the AlienVault taxii feed would require an API key, I'm not entirely sure how to set up a new miner for taxii which requires an API key.
05-26-2017 02:17 AM
Just checked and it works now. For the public feed follow the procedure:
- in the prototype library, click on one of the TAXII prototypes (like hailataxii.guest_Abuse_ch) and press NEW
- copy & paste the following config in the CONFIG part of the prototype. Press OK
age_out:
default: 30d
sudden_death: false
attributes:
confidence: 30
share_level: green
client_credentials_required: true
collection: user_AlienVault
discovery_service: https://otx.alienvault.com/taxii/discovery
initial_interval: 7d
source_name: alienvault.otx
- CLONE the new prototype into a node and COMMIT
After the COMMIT you can click on the new Miner under NODES to specify the credentials. For the public feed you can use whatever you want.
You can use the same prototype with different collection names to retrieve indicators from the private feeds, you'll need to specify the API Key as username in the Miner
05-17-2017 11:29 PM
Hi @chirss,
the link for the alienvault reputation works for me.
Do you have more details about the OTX TAXII feed ? a config guide ?
Thanks,
luigi
05-18-2017 04:23 AM
Hey guys,
Taxii url for otx: https://otx.alienvault.com/taxii/discovery
If you don't enter any API key it will still work - you'll just get the default feeds.
If you'd like to customise the feeds, then you should enter you api key in the username field.
Docs: https://www.alienvault.com/blogs/security-essentials/otx-is-now-a-free-stix-taxii-server
Cheers,
05-19-2017 05:15 AM
I have done a quick test on the public feed:
- select an existing TAXII prototype (anything starting with hailataxii)
- click NEW
- copy & paste the following config in the CONFIG section
age_out:
default: 30d
sudden_death: false
attributes:
confidence: 30
share_level: green
client_credentials_required: false
collection: user_AlienVault
discovery_service: https://otx.alienvault.com/taxii/discovery
source_name: alienvault.user_AlienVault
initial_interval: 7d
- create a new node with CLONE from the new prototype
Result
There is a bug in the AV TAXII Server, it announces indicators in STIX 1.1 format while the content is using STIX 1.1.1. MineMeld throws an error. I have done a quick test and after removing the check the indicators are successfully extracted.
Do you know someone in AlienVault we can work with to fix this ? Otherwise I can just add a flag in the TAXII Miner config to disable the check.
05-19-2017 07:25 AM
One of the people involved is actually fairly active in responding on the twitters. I'll reply to him and point him to this thread.
05-19-2017 07:56 AM
Thanks @chrisf
Looks like we've fixed this already in our development environment, and a fix should be released next week.
It'd be great to test it first though - if anyone here can e-mail us at otx-support@alienvault.com we can send you the development Taxii feed address to check that everything is working correctly.
Cheers 🙂
05-19-2017 08:01 AM
Hi @chrisdoman,
could you send me the address at lmori@paloaltonetworks.com ? I would be happy to test and adapt MineMeld if needed.
Thanks!
luigi
05-19-2017 11:19 AM
Is there benefit to going through the steps for the api key?
05-23-2017 03:20 PM
@chirss Yes if you sign up then you can choose to follow additional users, beyond the default main account. That means you get more indicators.
I haven't checked (I'm away at the moment) but I believe this should work now
05-26-2017 02:17 AM
Just checked and it works now. For the public feed follow the procedure:
- in the prototype library, click on one of the TAXII prototypes (like hailataxii.guest_Abuse_ch) and press NEW
- copy & paste the following config in the CONFIG part of the prototype. Press OK
age_out:
default: 30d
sudden_death: false
attributes:
confidence: 30
share_level: green
client_credentials_required: true
collection: user_AlienVault
discovery_service: https://otx.alienvault.com/taxii/discovery
initial_interval: 7d
source_name: alienvault.otx
- CLONE the new prototype into a node and COMMIT
After the COMMIT you can click on the new Miner under NODES to specify the credentials. For the public feed you can use whatever you want.
You can use the same prototype with different collection names to retrieve indicators from the private feeds, you'll need to specify the API Key as username in the Miner
06-19-2017 10:38 AM
Thanks this seems to work. I have it pulling some data. Not any feeds I subscribe to though.
09-08-2017 08:27 AM
How could I go about changing this to mine sha256 indicators out of otx?
10-02-2017 10:54 AM
Thanks. I'm able to clone a miner and set it to sha256 (or sha1) and it pulls 315 indicators. What I'm trying to figure out is how it relates to subscriptions in otx, if anyone knows.
Thanks for confirming, I was able to at least pull data once I made a miner for them (noticed I wasn't looking for hashes in the miner itself)
10-04-2017 03:49 PM
Good question, I hope @chrisdoman could help here
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
