Update your timing for queries in STAXX to get the latest data and stay within any API query limits on your data sources, as well as the script to pull indicators which should be put in a crontab to schedule the pull as well as the schedule to pull that csv into NetWitness.Ģ2 4 * * * /root/nw-scripts/rsa-anomali-staxx-script/anomali-staxx.py > /var/www/html/anomalistaxxfeed.csv Now that we have data we can push the feed to all the decoders and log decoders in an environment (using service groups helps keep everything in sync).Īnd once you have some test logs or packets to trigger the events to see if you have a working pipeline then you should get some meta like this. This is the mapping that was used in this example Now create the script and map the fields that are relevant to metakeys. The query can be updated to include indicators that are relevant to you. Query = "(severity=medium OR severity=high OR severity=very-high) AND itype='mal_ip'" The filter in the script included looks for the following criteria to reduce the data brought in to just what is required and relevant Then the feed was created with recurring option to poll the csv (either hosted locally on the web root directory or on remote server) These metakeys were added to the index-concentrator-custom.xml This was a good time to add a few more metakeys that could be useful for use specifically with threat intel data to bring more context to events. So a script was needed, with a little help from the Anomali community I was able to come up with a functioning script that pulls out a filtered set of data from STAXX and outputs a CSV for use as a feed in RSA NetWitness. Next step, lets see if we can pull that data out of Anomali and into NetWitness Suite.įirst problem, this being the free version apparently STAXX can only be used as a TAXII client and not a server so i cannot leverage the upcoming TAXII client functions of NW11 to pull from STAXX with TAXII (and 10.6 doesn't provide TAXII). Registering for Alienvault OTX and IBM X-Force along with a few other sources of data allowed me to subscribe and test out the TAXII integration We already have an integration posted for the full package but what if users wanted to leverage the free version?Īfter setting up the VM ( 2.6 as of this writing auto-updated to 3.0 and still working) the next step was adding TAXII sources of threat data to see how the pipeline worked. Anomali STAXX is the free version of the Anomali Threatstream threat intel platform.Īfter playing with Soltra Edge I figured this would be a good next step to see if it could be integrated with RSA NetWitness Suite.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |