How do you setup FS-ISAC STIX/TAXII feeds to minemeld?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How do you setup FS-ISAC STIX/TAXII feeds to minemeld?

L3 Networker

I was following this thread here:

https://live.paloaltonetworks.com/t5/minemeld-discussions/fs-isac-new-stix-taxii-feeds/td-p/334068

 

But nobody responded to my question so I'm starting a new thread hopefully to gain some visibility.  We've upped our membership with FS-ISAC which comes with an added annual fee, so being that we are paying for this service we want to get it to work with minemeld so we can have dynamic lists pushed into PA firewalls.

 

If you look at the thread I posted above you can see some configuration guidance, however, a lot of the details are blurred out.  I have a quick reference guide from FS-ISAC and it shows 3 URL's for 3 different versions of TAXII.

TAXII 1.1 

 - Discovery Service

 - Collection Service

 - Poll Serivce

TAXII 2.0 

 - Discovery Service

 - Collection Service

 - Poll Serivce

TAXII 2.1

 - Discovery Service

 - Collection Service

 - Poll Serivce

 

My first question is which URL(s) am I supposed to use?  Which version and which one (Discovery, Collection or poll)?

Next on the second page they have whats called FS-ISAC STIX/TAXII Collections (as of August 4, 2020).  They have TAXII1.0 collection names in plain englisth, like automated-high-gw for example.  They also have a column for TAXII2.x Collection ID which looks more like a long GUID identifier than anything legible.  Finally the third column is a description.

Am I supposed to pick one of these and put its Collection Name and / or ID somewhere?  How do you know which one to pick?  Something like curated-ragw says "Group packages containing analyst-created cyber threat intelligence with TLP values RED,AMBER,GREEN, and WHITE".  Would that be a good one?

 

Whatever I've tried I just get an error timed out in the last run column in minemeld.  I even waited a week for FS-ISAC to get our IP addresses in their ip whitelist.  


Appreciate any help you have.

2 REPLIES 2

L3 Networker

Wow I must have stumped this forum, or maybe the start of summer everyone is out on vacation or something.

L1 Bithead

@ksauer507 you should use the URL of TAXII 1.1 discovery service, and use the TAXII 1.1 collection names.

  • 4536 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!