This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Announcing STIX/TAXII Support in the Activate Threat Intelligence Solution

When we met at Protect in September, you were pretty clear that adding STIX/TAXII support to the Activate Threat Intelligence package should be a priority. Today, we are happy to announce the first release of this support, enabling you to take advantage of the Activate Threat Intelligence use cases by integrating your STIX/TAXII server of choice.

Here are the highlights of the current release:

  • Configure the new Activate STIX/TAXII script to point to any STIX1.2/TAXII 1.1 compliant TAXII Server.   We tested with “hail a taxi”, Anomali Limo, and, AlienVault OTX.
  • The STIX/TAXII script populates the existing Activate Threat Intelligence Active Lists with all of the STIX Indicators in all the TAXII Collections at that server.
  • The Activate Threat Intelligence Use Cases work exactly as before, without any change.

Upcoming releases will focus on at least the following big items:

  • Extend support to more advanced objects in the STIX model; in particular Campaigns, Threat Actors, and TTPs. With the fuller STIX model inside ESM, we can give Analysts this richer context to work with when conducting alert triage. 
  • Enable bi-directional sharing of threat intelligence be allowing the push of STIX objects to the TAXII server.

As a community driven effort, we value your feedback and contributions to improve our STIX/TAXII support in ArcSight.

Start your exploration of the latest Activate Threat Intelligence solution here.

  • 0

    Can someone please provide the script for Anomali Limo, password is not being accepted by the phyton client.

     

    C:\arcsight-taxii-client limo.anomali.com /api/v1/taxii/taxii-discovery-service/ --auto --auth basic --username guest --password guest --poll Malware_Dom

    ain_List___Hotlist_F200 --begin 2018-05-01 --end 2018-07-08 --output E:\Logs

    usage: arcsight-taxii-client [-h] [--port PORT]

                                 [--discover | --collection | --poll POLL | --stix-file STIX_FILE]

                                 [--begin BEGIN] [--end END]

                                 [--today | --days DAYS | --hours HOURS]

                                 [--no-https] [--proxy PROXY] [--auth {basic}]

                                 [-u USERNAME] [-p] [--key-file KEY_FILE]

                                 [--cert-file CERT_FILE]

                                 [--itype ITYPE | --use-ttp USE_TTP]

                                 [--producer PRODUCER] [--score SCORE]

                                 [--confidence {low,medium,high}]

                                 [--tlp-color {white,green,amber,red}]

                                 [--group GROUP] [--relevance RELEVANCE]

                                 [--reference REFERENCE]

                                 [--reference_tlp {white,green,amber,red}]

                                 [--conf CONF] [--output OUTPUT] [--log LOG]

                                 [--auto] [--memory] [--us-cert] [--active-list]

                                 [--cifv2] [--create-config CREATE_CONFIG]

                                 [--silent | --debug] [-s {stixtaxii,cifv2}] [-v]

                                 [hostname] [path]

    arcsight-taxii-client: error: unrecognized arguments: guest

  • 0

    Can someone please provide the script for Anomali Limo, password is not being accepted by the phyton client.

     

    C:\arcsight-taxii-client limo.anomali.com /api/v1/taxii/taxii-discovery-service/ --auto --auth basic --username guest --password guest --poll Malware_Dom

    ain_List___Hotlist_F200 --begin 2018-05-01 --end 2018-07-08 --output E:\Logs

    usage: arcsight-taxii-client [-h] [--port PORT]

                                 [--discover | --collection | --poll POLL | --stix-file STIX_FILE]

                                 [--begin BEGIN] [--end END]

                                 [--today | --days DAYS | --hours HOURS]

                                 [--no-https] [--proxy PROXY] [--auth {basic}]

                                 [-u USERNAME] [-p] [--key-file KEY_FILE]

                                 [--cert-file CERT_FILE]

                                 [--itype ITYPE | --use-ttp USE_TTP]

                                 [--producer PRODUCER] [--score SCORE]

                                 [--confidence {low,medium,high}]

                                 [--tlp-color {white,green,amber,red}]

                                 [--group GROUP] [--relevance RELEVANCE]

                                 [--reference REFERENCE]

                                 [--reference_tlp {white,green,amber,red}]

                                 [--conf CONF] [--output OUTPUT] [--log LOG]

                                 [--auto] [--memory] [--us-cert] [--active-list]

                                 [--cifv2] [--create-config CREATE_CONFIG]

                                 [--silent | --debug] [-s {stixtaxii,cifv2}] [-v]

                                 [hostname] [path]

    arcsight-taxii-client: error: unrecognized arguments: guest

  • 0 in reply to 

    Instead of:

    C:\arcsight-taxii-client limo.anomali.com /api/v1/taxii/taxii-discovery-service/ --auto --auth basic --username guest --password guest --poll Malware_Domain_List___Hotlist_F200 --begin 2018-05-01 --end 2018-07-08 --output E:\Logs

    Try:

    C:\arcsight-taxii-client limo.anomali.com /api/v1/taxii/taxii-discovery-service/ --auto --auth basic --username guest --password --poll Malware_Domain_List___Hotlist_F200 --begin 2018-05-01 --end 2018-07-08 --output E:\Logs

    arcsight-taxii-client does not accept the password on the command line.  The second version will prompt you for the password.

    If this works, then you can create a config file using --create-config, edit the config file and input the password, then use the config file with arcsight-taxii-client --conf.

    Regards

    Stephen

  • 0 in reply to 

    Stephen, question from someone related to your discussions :

     

    "I did as what Stephen instructed below, it works when doing it manually in CLI after the password prompt.

     

    The issue comes when using the config file. Got the following error:

     

     

    2018-08-08 11:53:07,331 : arcsight_stix_taxii : INFO : Writing configuration file to: anomali.co

    nf

    2018-08-08 11:53:42,930 : arcsight_stix_taxii : INFO : Using configuration file.

    2018-08-08 11:53:42,931 : arcsight_stix_taxii : CRITICAL : Error occurred while running client,

    see log file for debug information

    2018-08-08 11:53:42,931 : arcsight_stix_taxii : DEBUG : Error occurred while running client: 'li

    st' object has no attribute 'split'

    Traceback (most recent call last):

      File "/usr/lib/python2.7/site-packages/arcsight_stix_taxii/client.py", line 734, in main

        begin_date=begin_date, end_date=end_date)

      File "/usr/lib/python2.7/site-packages/arcsight_stix_taxii/client.py", line 287, in read_confi

    g

        collections = collections.split(',')

    AttributeError: 'list' object has no attribute 'split'

     

    Attached is the config file created. Can you check with him what could be the issue?

     

    Thanks

    Orson"

     

  • 0 in reply to 

    Here is related config file created that has issue :

     

    [app]
    us-cert = False
    memory = False
    cleanup = True

    [server]
    hostname = limo.anomali.com
    port = None
    path = /api/v1/taxii/taxii-discovery-service/
    https = True
    auth_type = basic
    username = guest
    password = guest
    collections = Malware_Domain_List___Hotlist_F200
    auto = True
    proxy = None
    begin_date = 2018-08-01
    end_date = 2018-08-08

    [csv]
    order = otype,observable,itype,firstdetecttime,lastdetecttime,score,confidence,source,relevance,
    description_or_title,reference
    datetime_format = %Y-%m-%d %H:%M:%S %z
    output = /opt/arcsight/stix_taxii/
    itype = suspicious
    ttp_option = type
    score = 50
    confidence = low
    tlp_color = white
    group = everyone
    relevance =
    reference =
    reference_tlp = white
    activelist = False
    cifv2 = False
    campaigns = False
    related_objects = False

  • 0 in reply to 

    Yes, this is the same error I'm experiencing, and posted about yesterday at https://community.softwaregrp.com/t5/ArcSight-User-Discussions/arcsight-taxii-client-Python-error-AttributeError-list-object/m-p/1660462

    I also opened a Service Request regarding this, SD02257003.

    I'll post any feedback I get from Support.