TaxiiDataFeed - Aging out of Feed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TaxiiDataFeed - Aging out of Feed

L1 Bithead

Hi Guys,

 

using as prototype the "stdlib.taxiiDataFeed" I've exposed through Minemeld a TAXII Feed. 

 

Now i've observed that this prototype is the only that can't be aged out, in fact the IoCs collected from the sources comes in addition to those already present in the Feed.

 

Is there a functionality to enable the aging out of the Output (stdlib.taxiiDataFeed)

 

This question is asked me by more customers.

 

Waiting for your feedback.

 

Regards,

R.

 

7 REPLIES 7

L7 Applicator

Hi @rafy92,

due to its semantic different from others feed formats, TAXII DataFeed has its own internal age out. By default it ages updates older than 24 hours. One thing to remember is that the TAXII DataFeed records all the updates of the indicators, that means that if an indicators has been updated 1K times in the last 24 hours there will be 1K entries for that indicators with different timestamps in the TAXII DataFeed. This is based on TAXII 1.1 standard.

 

You can change the age out by modifying the *age_out_interval* value in the prototype.

Hi @lmori,

 

many thanks for your support but I don't understand why the field "removing" is always equal to 0 if the aging out related to TaxiiDataFeed is by default set to 24h.

 

In addition to the previous point, as you can see in the attached image, the miner do aging out correctly after a timeframe setting by me while the output (stdlib.taxiiDataFeed) not seems to remove the IoCs from feed after 24h.

 

Waiting for your feedback

Regards,

R.

Hi @rafy92,

thanks for you feedback, I found the issue. This should be fixed in the next release.

 

Luigi

Hi @lmori,

 

thank you!

 

Please, let me know when the new release will be released.

 

Regards,

R.

Hi @lmori,

 

in Minemeld version 0.9.50 i've the same issue.

 

Could you please support me?

 TaxiiFeed.png

 

 

Thanks in advance!

Regards

 

Hi @rafy92,

please could you check the stats page of the output node and see the historical data of the number of indicators over the past 7 days?

Hi @lmori,

 

sorry for the delay. Today i've doing some test and the results are these:

 

1. I add to my node some IoCs and the node and the output (Taxii Feed) perform the update correctly.

 

2. I remove some IoCs from node source and the node perform the update correctly but the output show this result --> Case two image

 

3. Sometimes the output aging out all IoCs inside even if the node is not empty --> Case three.

 

Let me know pls.

 

Thank you for your support!

 

 

  • 11620 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!