TAXII feed for SIEM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TAXII feed for SIEM

L4 Transporter

Hi,

 

I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.

53 REPLIES 53

I'm trying to ingest a TAXII feed from MineMeld into STAXX. After following the guidance found in multiple posts across the community, I'm still unable to get the feed to work. I've tried various tags (anonymous, any, custom) and I've tried both a "feed" user and an admin user for authentication purposes in STAXX. The errors I keep receiving are below:

 

[2017-08-28 07:52:33,742] [ERROR] STAXX: Failed to get_feeds for site https://[REMOVED].paloaltonetworks-app.com/taxii-discovery-service, response: None

[2017-08-28 07:52:33,742] [ERROR] HTTP/1.1 500 INTERNAL SERVER ERROR

Traceback (most recent call last):

  File "taxii_stix.py", line 789, in get_feeds

  File "taxii_stix.py", line 708, in get_version_url

  File "taxii_stix.py", line 745, in discover_version

  File "taxii_stix.py", line 733, in discovery_generic

  File "taxii_stix.py", line 509, in make_request

Exception: HTTP/1.1 500 INTERNAL SERVER ERROR

[2017-08-28 07:52:33,742] [ERROR] Discovery failed.

Hi @jhopple,

could you send me the minemeld-web.log here or at minemeld@paloaltonetworks.com ?

 

Thanks,

luigi

@jhopple did you manage to work out a solution for using STAXX to access MineMeld via a TAXII feed? I'm trying to do this too and get the same error as you.

Not yet, since the last STAXX update, I'm no longer getting the internal server error. However, I am now getting an HTTP/1.1 401 UNAUTHORIZED error. To recap, the same feed URL and credentials work fine from other TAXII clients/servers.

@lmori

 

Sorry for the delayed response, I keep forgetting to check the forum while working on this. I'm currently using the hosted version of MineMeld (Autofocus app). How do I pull these specific logs? I attempted to access the log dashboard and search for "minemeld-web.log" but it did not return any results. 

@vedd3r I noticed in another thread that you're using MineMeld and STAXX. Have you by chance had any luck ingesting a MineMeld taxii feed into STAXX?

@jhopple

 

I've used STAXX just to confirmed whether the PhishTank feeds was actually sending in data. I will give it a try on my test system and will revert back soon.

Hi @vedd3r@jhopple,

I think I have found the issue and it could on a lag in the clocks. @soc_enav suggested an improvement in the TAXII Miner logic, we are currently testing and if it works as expected I will introduce it in an HotFix for MineMeld.

I am sorry it took so long, but it's not super easy to reproduce the problem.

@lmori

I can understand the issue with reproducing since it seems to be heavily tied to STAXX. Is there an unofficial guestimate on when a hot fix will be pushed? Any possible unofficial/unsupported work arounds in the mean time?

Hi @jhopple,

it will be released by the end of the next week. In the mean time, if you are in a hurry, you could test the new TAXII MIner external extension: https://github.com/PaloAltoNetworks/minemeld-taxii-ng

 

It can be installed as any external extension:

- System > External Extensions

- Press on the git button

- Paste the URL https://github.com/PaloAltoNetworks/minemeld-taxii-ng.git

- Select the latest release (0.1b4 at the time of writing) and click install

- Click on the activate button

- After the extension has been activated you will find a new phishtank prototype (taxiing.phishtank) in the prototype list, just clone it into a new node

 

Thanks,

luigi

@lmori thanks but unfortunately I'm using the MM app in AutoFocus so I don't think that would work.

Hi @Sly_Cooper,

My name is john , i am quite new to Minemeld but i am also using McAfee ESM .

can you teach me step by step , on how i can intergradeMinemeld into SIEM ? 

 

i hope to hearfrom you soon.

with regards ,

your friend ,

John 

 

L1 Bithead

Hi @lmori , 

My name is john , i am quite new to Minemeld but i am also using McAfee ESM .

can you teach me step by step , on how i can intergradeMinemeld into SIEM ? 

 

i hope to hearfrom you soon.

with regards ,

John 

@john_chua - I dont manage ESM. I provided the taxii based url to the guy managing ESM and we came up with the feed in ESM.

@john_chua - I dont manage ESM. I provided the taxii based url to the guy managing ESM and we came up with the feed in ESM.

@Sly_Cooper Oh i understand , can you teach me how you come up with the feed in ESM ? or also maybe you can introduce me to the person who manage it ? hope to hear from you soon.

  • 35678 Views
  • 53 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!