TAXII feed for SIEM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

TAXII feed for SIEM

L4 Transporter

Hi,

 

I have tried minemeld with few miners and output to the inbounfeedhc i.e. PAN EBL/DBL. It is worked as expected. I would like to push the data to SIEM so that i can perform log analysis based on the indicators. How can i use taxii? I have configured ET.compromisedIP and Dshield miners to send data to new aggregator with output to stllib.feedHCGreen and stdlib.taxiiDataFeed based nodes. I can get data in PAN DBL using stdlib.feedHCGreen output node. What configuration will be needed so that I can configure our SIEM to use taxii based feed? For the taxii based node, I can see current indicators as 1080.

53 REPLIES 53

L7 Applicator

Hi Sly_Cooper,

what SIEM are you working with ?

Can your SIEM retrieve (pull) indicators from MineMeld via TAXII ? Or should MineMeld push indicators to the SIEM using TAXII ?

@lmori we use McAfee ESM. We already have one thread feed configured for hailataxii feed (http://hailataxii.com/taxii-discovery-service). The current feed is configured as POST (and Collection Name). I dont see any URL to pull the data the way it is for DBL based output nodes.

Hi Sly_Cooper,

default output nodes do not support TAXII. But you can create new output nodes based on stdlib.taxiiDataFeed and attach them to your aggregators to support TAXII.

Then you can query the MineMeld TAXII Discover Service at https://<minemeld>/taxii-discovery-service to retrieve the list of currently configured TAXII feeds.

 

I am working on the documentation for the TAXII output nodes, stay tuned 🙂

@lmori Thank you.

I have configured custom aggregator node based on stlib.aggregatorIPv4Generic and custom output node based on stdlib.taxiiDataFeed. I am using DShild block list as miner. The SIEM just says Error and hostname while adding feed.

 

I am also suspecting issue with self signed ssl cert.

Please, could you post the full error message you get back from the SIEM ?

Hi @lmori,

 

The web ui just shows "Error and hostname on next line" when we try "Test Connection". I will see if there is way to get raw log from the system.

Hi Sly_Cooper,

I don't have access to a McAfee SIEM but this config should work:

 

Type: TAXII

URL: https://<minemeldip>/taxii-discovery-service

Authentication: None

Method: POST

Ignore Invalid Certificate: Checked (if you have changed the cet with a valid one you should uncheck this)

Collection Name: <name of the TAXII output node>

 

 

@lmori

 

I have configured the required settings. Here is the new error.

 

ERROR
Error issuing TAXII request, HTTP response code: 400: Missing X-Server header

Hi Sly_Cooper,

thanks for the additional log. I have found the issue, it's an oversight in the nginx config. It will be fixed in the next release.

Meanwhile as a workaround you can edit the file /opt/minemeld/local/config/wsgi.yml and add the TAXII_HOST variable. The value should be the IP address of your MineMeld instance. Example if your MineMeld instance has IP 192.168.55.172:

 

# this should be commented in production !
DEBUG: true

API_AUTH_ENABLED: true
USERS_DB: wsgi.htpasswd

SUPERVISOR_URL: "unix:///opt/minemeld/local/supervisor/run/minemeld.sock"

TAXII_HOST: 192.168.55.172

 

After changing the file you should reload MineMeld Web API using the command:

 

sudo -u minemeld /opt/minemeld/engine/current/bin/supervisorctl -c /opt/minemeld/local/supervisor/config/supervisord.conf restart minemeld-web

 

Thanks !

luigi

@lmori I have got required configuration updated in the config file. Please note that the command to reload minemeld api worked fine in cli however there was warning in GUI "Error loading config" and indicators to "0". I restarted the VM and the gui loaded fine with all required nodes with indicator data. Now the error has changed on SIEM. I am not sure if the MineMeld configuration needs further tweaking.

ERROR
Error issuing TAXII request, HTTP response code: 400: Invalid message

 

 

Would you be available for a webmeeting? We could speed up the integration tests this way.
Just send me an email at lmori@paloaltonetworks.com

Thanks,
Luigi

@Sly_Cooper that error message typically happens when you try to access a TAXII feed that does not exist. Could you post the screenshot of your MM config and the config of McAfee SIEM ?

 

Thanks !

luigi

Screenshot_1.pngScreenshot_2.pngClipboard01.jpg

McAfee SIEM Config and error

Screenshot_3.png

  • 32089 Views
  • 53 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!