ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
using as prototype the "stdlib.taxiiDataFeed" I've exposed through Minemeld a TAXII Feed.
Now i've observed that this prototype is the only that can't be aged out, in fact the IoCs collected from the sources comes in addition to those already present in the Feed.
Is there a functionality to enable the aging out of the Output (stdlib.taxiiDataFeed)?
This question is asked me by more customers.
Waiting for your feedback.
due to its semantic different from others feed formats, TAXII DataFeed has its own internal age out. By default it ages updates older than 24 hours. One thing to remember is that the TAXII DataFeed records all the updates of the indicators, that means that if an indicators has been updated 1K times in the last 24 hours there will be 1K entries for that indicators with different timestamps in the TAXII DataFeed. This is based on TAXII 1.1 standard.
You can change the age out by modifying the *age_out_interval* value in the prototype.
many thanks for your support but I don't understand why the field "removing" is always equal to 0 if the aging out related to TaxiiDataFeed is by default set to 24h.
In addition to the previous point, as you can see in the attached image, the miner do aging out correctly after a timeframe setting by me while the output (stdlib.taxiiDataFeed) not seems to remove the IoCs from feed after 24h.
Waiting for your feedback
sorry for the delay. Today i've doing some test and the results are these:
1. I add to my node some IoCs and the node and the output (Taxii Feed) perform the update correctly.
2. I remove some IoCs from node source and the node perform the update correctly but the output show this result --> Case two image
3. Sometimes the output aging out all IoCs inside even if the node is not empty --> Case three.
Let me know pls.
Thank you for your support!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!