I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.
I'm trying to configure a output for FS-ISAC miner, and one of previous topic was mentioned about create a aggregator for Taxii feeds using a prototype stdlib.aggregatorIPv4Generic as model . Is it possible to share a aggregator config for example ?
Also, are you guys using the stdlib.taxiiDataFeed for output or is it a custom output node ?
Thanks a lot!
I used taxiing.exampleDataFeed as my prototype in MM. The stdlib.taxiiDataFeed may work too, I didn't try it.
Then, in Splunk ES, I was able to set up a threat intelligence feed with the following:
At least in my experience, URL can be an IP address, even if you use HTTPS in the URL. This is handy if you want to share over the internet but don't want to publish a DNS record for "mythreatintelplatform.abc.xyz".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!