08-16-2016 12:58 PM
Hi,
I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.
08-28-2017 01:02 AM
I'm trying to ingest a TAXII feed from MineMeld into STAXX. After following the guidance found in multiple posts across the community, I'm still unable to get the feed to work. I've tried various tags (anonymous, any, custom) and I've tried both a "feed" user and an admin user for authentication purposes in STAXX. The errors I keep receiving are below:
[2017-08-28 07:52:33,742] [ERROR] STAXX: Failed to get_feeds for site https://[REMOVED].paloaltonetworks-app.com/taxii-discovery-service, response: None
[2017-08-28 07:52:33,742] [ERROR] HTTP/1.1 500 INTERNAL SERVER ERROR
Traceback (most recent call last):
File "taxii_stix.py", line 789, in get_feeds
File "taxii_stix.py", line 708, in get_version_url
File "taxii_stix.py", line 745, in discover_version
File "taxii_stix.py", line 733, in discovery_generic
File "taxii_stix.py", line 509, in make_request
Exception: HTTP/1.1 500 INTERNAL SERVER ERROR
[2017-08-28 07:52:33,742] [ERROR] Discovery failed.
08-28-2017 07:36 AM
Hi @jhopple,
could you send me the minemeld-web.log here or at minemeld@paloaltonetworks.com ?
Thanks,
luigi
10-22-2017 11:26 PM
@jhopple did you manage to work out a solution for using STAXX to access MineMeld via a TAXII feed? I'm trying to do this too and get the same error as you.
10-30-2017 04:35 PM
Not yet, since the last STAXX update, I'm no longer getting the internal server error. However, I am now getting an HTTP/1.1 401 UNAUTHORIZED error. To recap, the same feed URL and credentials work fine from other TAXII clients/servers.
10-30-2017 04:37 PM - edited 11-07-2017 05:03 AM
Sorry for the delayed response, I keep forgetting to check the forum while working on this. I'm currently using the hosted version of MineMeld (Autofocus app). How do I pull these specific logs? I attempted to access the log dashboard and search for "minemeld-web.log" but it did not return any results.
11-07-2017 05:02 AM
@vedd3r I noticed in another thread that you're using MineMeld and STAXX. Have you by chance had any luck ingesting a MineMeld taxii feed into STAXX?
11-09-2017 12:43 AM - edited 11-09-2017 12:45 AM
I've used STAXX just to confirmed whether the PhishTank feeds was actually sending in data. I will give it a try on my test system and will revert back soon.
11-09-2017 12:47 AM
I think I have found the issue and it could on a lag in the clocks. @soc_enav suggested an improvement in the TAXII Miner logic, we are currently testing and if it works as expected I will introduce it in an HotFix for MineMeld.
I am sorry it took so long, but it's not super easy to reproduce the problem.
11-12-2017 05:41 PM
11-13-2017 09:21 PM
Hi @jhopple,
it will be released by the end of the next week. In the mean time, if you are in a hurry, you could test the new TAXII MIner external extension: https://github.com/PaloAltoNetworks/minemeld-taxii-ng
It can be installed as any external extension:
- System > External Extensions
- Press on the git button
- Paste the URL https://github.com/PaloAltoNetworks/minemeld-taxii-ng.git
- Select the latest release (0.1b4 at the time of writing) and click install
- Click on the activate button
- After the extension has been activated you will find a new phishtank prototype (taxiing.phishtank) in the prototype list, just clone it into a new node
Thanks,
luigi
11-21-2017 10:42 AM
@lmori thanks but unfortunately I'm using the MM app in AutoFocus so I don't think that would work.
12-03-2017 09:28 PM
Hi @Sly_Cooper,
My name is john , i am quite new to Minemeld but i am also using McAfee ESM .
can you teach me step by step , on how i can intergradeMinemeld into SIEM ?
i hope to hearfrom you soon.
with regards ,
your friend ,
John
12-07-2017 05:22 PM
Hi @lmori ,
My name is john , i am quite new to Minemeld but i am also using McAfee ESM .
can you teach me step by step , on how i can intergradeMinemeld into SIEM ?
i hope to hearfrom you soon.
with regards ,
John
12-12-2017 12:16 PM
@john_chua - I dont manage ESM. I provided the taxii based url to the guy managing ESM and we came up with the feed in ESM.
12-15-2017 03:52 AM
@john_chua - I dont manage ESM. I provided the taxii based url to the guy managing ESM and we came up with the feed in ESM.
@Sly_Cooper Oh i understand , can you teach me how you come up with the feed in ESM ? or also maybe you can introduce me to the person who manage it ? hope to hear from you soon.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
