- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-12-2018 11:27 AM
Hello,
First, I am not a programmer, so please keep that in mind 😉 I would like to create a miner for the Anomali Limo TAXII feed. The Anomali documentation is not very good:
You can also get the benefits of Limo without STAXX. Simply:
This doesn't really explain much. If I go to: https://limo.anomali.com/taxii and authenticate, I get this back:
Thus, I am really not sure how I would use any of this information. I was expecting to see data with headers and such. Not only don't I get those, I don't see the feed names themselves as suggested in the Anomali documentation. Thus, I am really not sure how to proceed from here.
Any help would be greatly appreciated!
Jon
07-12-2018 11:16 PM
you just have to create a new TaxiiClient class based prototype and clone it into your engine as a working node.
To create a new TaxiiClient prototype you can use any other TaxiiClient prototype as the base. For example, you can use any from the "hailataxii" series.
Change the "discovery_service" and "collection" class configuration parameters to fit your need. In your case:
(the list was captured today with the cabby command "taxii-collections --path https://limo.anomali.com/api/v1/taxii/collection_management/ --username guest --password guest")
07-12-2018 11:16 PM
you just have to create a new TaxiiClient class based prototype and clone it into your engine as a working node.
To create a new TaxiiClient prototype you can use any other TaxiiClient prototype as the base. For example, you can use any from the "hailataxii" series.
Change the "discovery_service" and "collection" class configuration parameters to fit your need. In your case:
(the list was captured today with the cabby command "taxii-collections --path https://limo.anomali.com/api/v1/taxii/collection_management/ --username guest --password guest")
07-13-2018 06:55 AM
Thanks for the great reply! Is it possible to have more than one collection in a miner?
07-13-2018 07:52 AM
I was able to get the "cabby"docker image working and I replicated your findings. Thanks for pointing this out to me! My only other question is, can I have mor ethan one collection in a data miner?
Thanks!
Jon
07-13-2018 08:09 AM
Another thing that I am noticing is that I am not pulling any indicators. Here is the config for the poller:
age_out |
|
attributes |
|
collection | Anomali_Weekly_Threat_Briefing_S1 |
discovery_service | https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/ |
password | guest |
source_name | limo.anomali.com |
username | guest |
If I then go to the Nodes view and look at the node, it shows it successfully polling, but no indicators. I must have done something wrong.
CLASS | minemeld.ft.taxii.TaxiiClient |
PROTOTYPE | minemeldlocal.anomali_limo_feed |
STATE | STARTED |
USERNAME | guest |
PASSWORD | |
SERVER CA | Not set |
LAST RUN | 2018-07-13 10:03:29 -0500 SUCCESS |
# INDICATORS | 0 |
OUTPUT | ENABLED |
INPUTS | none |
07-23-2018 02:09 AM
Hi @Jon-Irish,
yes, you're right. Something is wrong. But not on your end (neither on mine) but on Anomali's one.
Using Cabby (instead of MineMeld) to poll the indicators also rise an exception.
<ord guest --discovery https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/ --collection Anomali_Weekly_Threat_Briefing_S1 2018-07-23 09:07:25,668 INFO: Polling using data binding: ALL 2018-07-23 09:07:25,672 INFO: Sending Discovery_Request to https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/ 2018-07-23 09:07:26,569 INFO: 4 services discovered 2018-07-23 09:07:26,571 INFO: Sending Poll_Request to https://limo.anomali.com/api/v1/taxii/poll/ 2018-07-23 09:07:27,432 ERROR: HTTP Error: status code 400
I'll try later on to troubleshoot what's wrong in their API.
07-23-2018 04:54 AM
Thanks for the update @xhoms... It is good to know that it isn't something that I did wrong.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!