TAXII feed for SIEM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TAXII feed for SIEM

L4 Transporter

Hi,

 

I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.

53 REPLIES 53

I'm still not having any luck connecting to the MM TAXII feed from STAXX. Additionally, is there any way to try out that external extension from the Autofocus hosted version of MM?

Hi @jhopple,

MineMeld with the fixed TAXII Miner will be soon available on AutoFocus.

About STAXX integration, do you have somes logs from STAXX you could share to troubleshoot the issue?

 

luigi


STAXX still couldn't retrieve feed from MM. The error was shown on STAXX as below;
 
Task State: Failed
HTTP/1.1 500 INTERNAL SERVER ERROR

L2 Linker
Any updated thoughts on this? Still getting the internal server error on STAXX. Still no update from STAXX forum either.

Hi @jhopple,

the fix for the TAXII MIner is now available on MM for AutoFocus. Which version of AF/MM are you running on?

 

Thanks,

luigi

@lmori

I'm running VERSION: 0.9.44.post1 (AF)

L0 Member

Hi @Sly_Cooper and @lmori

 

I'm trying to configure a output for FS-ISAC miner, and one of previous topic was mentioned about create a aggregator for Taxii feeds using a prototype stdlib.aggregatorIPv4Generic as model . Is it possible to share a aggregator config for example ? 

 

Also, are you guys using the stdlib.taxiiDataFeed for output or is it a custom output node ? 

 

Thanks a lot!

L2 Linker

I used taxiing.exampleDataFeed as my prototype in MM.    The stdlib.taxiiDataFeed may work too,  I didn't try it.

Then, in Splunk ES, I was able to set up a threat intelligence feed with the following:

  • URL:   <MM_SERVER>/taxii-poll-service
  • POST arguments:  collection="<NAME_OF_MM_OUTPUT_NODE>"

At least in my experience,  URL can be an IP address, even if you use HTTPS in the URL.   This is handy if you want to share over the internet but don't want to publish a DNS record for "mythreatintelplatform.abc.xyz".

  • 35948 Views
  • 53 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!