- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-28-2021 01:42 PM
I was following this thread here:
https://live.paloaltonetworks.com/t5/minemeld-discussions/fs-isac-new-stix-taxii-feeds/td-p/334068
But nobody responded to my question so I'm starting a new thread hopefully to gain some visibility. We've upped our membership with FS-ISAC which comes with an added annual fee, so being that we are paying for this service we want to get it to work with minemeld so we can have dynamic lists pushed into PA firewalls.
If you look at the thread I posted above you can see some configuration guidance, however, a lot of the details are blurred out. I have a quick reference guide from FS-ISAC and it shows 3 URL's for 3 different versions of TAXII.
TAXII 1.1
- Discovery Service
- Collection Service
- Poll Serivce
TAXII 2.0
- Discovery Service
- Collection Service
- Poll Serivce
TAXII 2.1
- Discovery Service
- Collection Service
- Poll Serivce
My first question is which URL(s) am I supposed to use? Which version and which one (Discovery, Collection or poll)?
Next on the second page they have whats called FS-ISAC STIX/TAXII Collections (as of August 4, 2020). They have TAXII1.0 collection names in plain englisth, like automated-high-gw for example. They also have a column for TAXII2.x Collection ID which looks more like a long GUID identifier than anything legible. Finally the third column is a description.
Am I supposed to pick one of these and put its Collection Name and / or ID somewhere? How do you know which one to pick? Something like curated-ragw says "Group packages containing analyst-created cyber threat intelligence with TLP values RED,AMBER,GREEN, and WHITE". Would that be a good one?
Whatever I've tried I just get an error timed out in the last run column in minemeld. I even waited a week for FS-ISAC to get our IP addresses in their ip whitelist.
Appreciate any help you have.
03-07-2022 06:46 AM
@ksauer507 you should use the URL of TAXII 1.1 discovery service, and use the TAXII 1.1 collection names.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!