AlienVault taxii miner versus prebuilt reputation data miner

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AlienVault taxii miner versus prebuilt reputation data miner

L3 Networker

AlientVault has the OTX with a taxii feed configuration which looks like it could be handy. However the miner for the alienvault reputation has a link which 404's. Does anyone have any idea if this overlaps?

 

Also the AlienVault taxii feed would require an API key, I'm not entirely sure how to set up a new miner for taxii which requires an API key.

1 accepted solution

Accepted Solutions

Just checked and it works now. For the public feed follow the procedure:

- in the prototype library, click on one of the TAXII prototypes (like hailataxii.guest_Abuse_ch) and press NEW

- copy & paste the following config in the CONFIG part of the prototype. Press OK

 

age_out:
    default: 30d
    sudden_death: false
attributes:
    confidence: 30
    share_level: green
client_credentials_required: true
collection: user_AlienVault
discovery_service: https://otx.alienvault.com/taxii/discovery
initial_interval: 7d
source_name: alienvault.otx

- CLONE the new prototype into a node and COMMIT

 

After the COMMIT you can click on the new Miner under NODES to specify the credentials. For the public feed you can use whatever you want.

 

You can use the same prototype with different collection names to retrieve indicators from the private feeds, you'll need to specify the API Key as username in the Miner

 

View solution in original post

21 REPLIES 21

L7 Applicator

Hi @chirss,

the link for the alienvault reputation works for me.

 

Do you have more details about the OTX TAXII feed ? a config guide ?

 

Thanks,

luigi

Hey guys,

 

Taxii url for otx: https://otx.alienvault.com/taxii/discovery

 If you don't enter any API key it will still work - you'll just get the default feeds.

 

If you'd like to customise the feeds, then you should enter you api key in the username field.

 

Docs: https://www.alienvault.com/blogs/security-essentials/otx-is-now-a-free-stix-taxii-server

 

Cheers,

I have done a quick test on the public feed:

- select an existing TAXII prototype (anything starting with hailataxii)

- click NEW

- copy & paste the following config in the CONFIG section

age_out:
    default: 30d
    sudden_death: false
attributes:
    confidence: 30
    share_level: green
client_credentials_required: false
collection: user_AlienVault
discovery_service: https://otx.alienvault.com/taxii/discovery
source_name: alienvault.user_AlienVault
initial_interval: 7d

- create a new node with CLONE from the new prototype

 

Result

 

There is a bug in the AV TAXII Server, it announces indicators in STIX 1.1 format while the content is using STIX 1.1.1. MineMeld throws an error. I have done a quick test and after removing the check the indicators are successfully extracted.

 

Do you know someone in AlienVault we can work with to fix this ? Otherwise I can just add a flag in the TAXII Miner config to disable the check.

One of the people involved is actually fairly active in responding on the twitters. I'll reply to him and point him to this thread.

Thanks @chrisf

 

Looks like we've fixed this already in our development environment, and a fix should be released next week.

 

It'd be great to test it first though - if anyone here can e-mail us at otx-support@alienvault.com we can send you the development Taxii feed address to check that everything is working correctly.

 

Cheers 🙂

Hi @chrisdoman,

could you send me the address at lmori@paloaltonetworks.com ? I would be happy to test and adapt MineMeld if needed.

 

Thanks!

luigi

Is there benefit to going through the steps for the api key?

@chirss Yes if you sign up then you can choose to follow additional users, beyond the default main account. That means you get more indicators.

 

I haven't checked (I'm away at the moment) but I believe this should work now

Just checked and it works now. For the public feed follow the procedure:

- in the prototype library, click on one of the TAXII prototypes (like hailataxii.guest_Abuse_ch) and press NEW

- copy & paste the following config in the CONFIG part of the prototype. Press OK

 

age_out:
    default: 30d
    sudden_death: false
attributes:
    confidence: 30
    share_level: green
client_credentials_required: true
collection: user_AlienVault
discovery_service: https://otx.alienvault.com/taxii/discovery
initial_interval: 7d
source_name: alienvault.otx

- CLONE the new prototype into a node and COMMIT

 

After the COMMIT you can click on the new Miner under NODES to specify the credentials. For the public feed you can use whatever you want.

 

You can use the same prototype with different collection names to retrieve indicators from the private feeds, you'll need to specify the API Key as username in the Miner

 

Thanks this seems to work. I have it pulling some data. Not any feeds I subscribe to though.

How could I go about changing this to mine sha256 indicators out of otx?

Hi @chirss,

just tested this and it works for me:

Screen Shot 2017-09-15 at 12.42.59.png

Thanks. I'm able to clone a miner and set it to sha256 (or sha1) and it pulls 315 indicators. What I'm trying to figure out is how it relates to subscriptions in otx, if anyone knows.

 

Thanks for confirming, I was able to at least pull data once I made a miner for them (noticed I wasn't looking for hashes in the miner itself)

Good question, I hope @chrisdoman could help here 

  • 1 accepted solution
  • 20409 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!