Through MS-ISAC we are able to consume a Taxii feed (I believe it originates as a Soltra Edge feed). Currently this is going straight into my palo as an EDL.
I would like to bring it in through minemeld so I can add other feeds and take advantage of the other features in MineMeld.
When I look at prototypes for Miners, I don't see any that refer to MS-ISAC. How might I go about adding this as a miner?
Kevin, I've done this before with MS-ISAC and it can absolutely be done. One thing to note though is that MS-ISAC recently moved from Soltra Edge to utilizing Anomali. They also just recently enabled the TAXII feeds on the Anomali side. I am working on doing discovery and integration now to get that operational. Basically it breaks down into a couple of steps.
1. Clone an existing TAXII prototype (hailataxii is the easiest) and input the necessary components (taxii-discovery-service, feed, etc).
2. Make sure that your initial load looks back at least 7 days if not longer to make sure you get some data. It is important to note that the feed starts the moment you start the node, there isn't anything rearward looking unless you configure it as such.
3. Create the miner/node associated with the prototype and put in your authentication credentials here. You can do it in the prototype as well, but it really isn't necessary.
4. Utilize your miner/node in the feed.
Things to point out are to make sure that you are using the correct discovery service URL and that your credentials are correct. It will take a little time to pull in and parse the data. Be patient, if you have authenticated appropriately you should have little issue. When in doubt utilize the CLI test commands on your VM in order to make sure it's going.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!