I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.
I'm trying to ingest a TAXII feed from MineMeld into STAXX. After following the guidance found in multiple posts across the community, I'm still unable to get the feed to work. I've tried various tags (anonymous, any, custom) and I've tried both a "feed" user and an admin user for authentication purposes in STAXX. The errors I keep receiving are below:
[2017-08-28 07:52:33,742] [ERROR] STAXX: Failed to get_feeds for site https://[REMOVED].paloaltonetworks-app.com/taxii-discovery-service, response: None
[2017-08-28 07:52:33,742] [ERROR] HTTP/1.1 500 INTERNAL SERVER ERROR
Traceback (most recent call last):
File "taxii_stix.py", line 789, in get_feeds
File "taxii_stix.py", line 708, in get_version_url
File "taxii_stix.py", line 745, in discover_version
File "taxii_stix.py", line 733, in discovery_generic
File "taxii_stix.py", line 509, in make_request
Exception: HTTP/1.1 500 INTERNAL SERVER ERROR
[2017-08-28 07:52:33,742] [ERROR] Discovery failed.
Sorry for the delayed response, I keep forgetting to check the forum while working on this. I'm currently using the hosted version of MineMeld (Autofocus app). How do I pull these specific logs? I attempted to access the log dashboard and search for "minemeld-web.log" but it did not return any results.
I think I have found the issue and it could on a lag in the clocks. @soc_enav suggested an improvement in the TAXII Miner logic, we are currently testing and if it works as expected I will introduce it in an HotFix for MineMeld.
I am sorry it took so long, but it's not super easy to reproduce the problem.
it will be released by the end of the next week. In the mean time, if you are in a hurry, you could test the new TAXII MIner external extension: https://github.com/PaloAltoNetworks/minemeld-taxii-ng
It can be installed as any external extension:
- System > External Extensions
- Press on the git button
- Paste the URL https://github.com/PaloAltoNetworks/minemeld-taxii-ng.git
- Select the latest release (0.1b4 at the time of writing) and click install
- Click on the activate button
- After the extension has been activated you will find a new phishtank prototype (taxiing.phishtank) in the prototype list, just clone it into a new node
@john_chua - I dont manage ESM. I provided the taxii based url to the guy managing ESM and we came up with the feed in ESM.
@Sly_Cooper Oh i understand , can you teach me how you come up with the feed in ESM ? or also maybe you can introduce me to the person who manage it ? hope to hear from you soon.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!