This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L1-Threat Intelligence - Indicators and Warnings

This is the official forum for discussing the basic ArcSight Activate L1-Threat Intelligence - Indicators and Warnings package, as described in the Activate Wiki.

Version 1.1.0.0 TI: (L1-Threat_Intelligence_-_Indicators_and_Warnings_1.1.0.0.arb)

Modified Resources:

/All Rules/ArcSight Activate/Solutions/Threat Intelligence/Indicators and Warnings/Populate Suspicious Address List

--
Prentice S. Hayes
Principal Product Manager | Cybersecurity Enterprise, Security Analytics
OpenText Cybersecurity

LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

Website: https://www.opentext.com/

Parents
  • 0

    Hi Community,

    I've install a STIX/TAXII server and tried polling for 1 specific collection. It's currently still running and it has been more than 1 hour now.

    1. Has anyone tried using a Stix/Taxii polling? How long does it usually take to finish one collection?
    2. Is there a minimum specs requirement for the server? Does this affect the performance of the polling?

    Thanks! :) 

     

  • 0 in reply to 

    Actually it depends on the data. which collection are you trying to download? It was working normal when I was using it.

     

  • 0 in reply to 

    Hi Mr. Eugene,

    Thank you for the answer,

    The poll is now finish. It took around 4.5 hours.

    I used the HAILATAXII.COM site and polled the Abuse_ch collection.

     

    Thank.

  • 0 in reply to 

    If you don't specify a begin date, it pulls all the data. If the data is big, it takes long time to complete. I used the following command and it was completed in seconds.

    arcsight-taxii-client hailataxii.com /taxii-discovery-service --no-https --auto --auth basic --username guest --poll guest.Abuse_ch --today --output /tmp/ --debug

    Instead of --today option you can use "--days 7". it pulls data from last 7 days.

Reply
  • 0 in reply to 

    If you don't specify a begin date, it pulls all the data. If the data is big, it takes long time to complete. I used the following command and it was completed in seconds.

    arcsight-taxii-client hailataxii.com /taxii-discovery-service --no-https --auto --auth basic --username guest --poll guest.Abuse_ch --today --output /tmp/ --debug

    Instead of --today option you can use "--days 7". it pulls data from last 7 days.

Children
  • 0 in reply to 

    Hi Mr. Eugene,

    Thank you for that information, we will schedule it to run daily.

    But we are having trouble with the flex now. I used the flex config file that was with the "arcsight_stix_taxii.zip" file there seems to be no problem with the flex script. the csv file says it was processed but it is not on our ESM.


    I took a look at the agent.log and saw this:

    111111111111111.PNG


    Here are the files - it says that it was processed:

    22222.PNG


    here is the flexconn script that I used:

    delimiter=,

    text.qualifier="

    comments.start.with=\#

    trim.tokens=true

    contains.empty.tokens=true

     

    token.count=11

     

    token[0].name=otype

    token[0].type=String

    token[1].name=observable

    token[1].type=String

    token[2].name=indicatorType

    token[2].type=String

    token[3].name=firstdetecttime

    token[3].type=String

    token[4].name=lastdetecttime

    token[4].type=String

    token[5].name=score

    token[5].type=String

    token[6].name=confidence

    token[6].type=String

    token[7].name=producer

    token[7].type=String

    token[8].name=rdata

    token[8].type=String

    token[9].name=description

    token[9].type=String

    token[10].name=altid

    token[10].type=String

     

    event.name=__stringConstant("Collective Intelligence Feed")

    event.deviceFacility=__toLowerCase(otype)

    event.deviceSeverity=__toLowerCase(confidence)

    event.message=observable

    event.deviceCustomDate1Label=__stringConstant("First Detected Time")

    event.deviceCustomDate1=__createSafeLocalTimeStamp(firstdetecttime,"yyyy-MM-dd HH:mm:ss Z")

    event.deviceCustomDate2Label=__stringConstant("Last Detected Time")

    event.deviceCustomDate2=__createSafeLocalTimeStamp(lastdetecttime,"yyyy-MM-dd HH:mm:ss Z")

    event.requestUrl=__ifTrueThenElse(__contains(otype,"url"),observable,)

    event.sourceAddress=__oneOfAddress(__ifTrueThenElse(__contains(otype,"ipv4"),observable,))

    event.deviceCustomIPv6Address1=__stringToIPv6Address(__ifTrueThenElse(__contains(otype,"ipv6"),observable,))

    event.sourceDnsDomain=__ifTrueThenElse(__contains(otype,"fqdn"),__toLowerCase(observable),)

    event.sourceUserName=__ifTrueThenElse(__contains(otype,"email"),observable,)

    event.fileHash=__ifTrueThenElse(__contains(otype,"md5"),observable,)

    event.fileHash=__ifTrueThenElse(__contains(otype,"sha1"),observable,)

    event.fileHash=__ifTrueThenElse(__contains(otype,"sha256"),observable,)

    event.fileHash=__ifTrueThenElse(__contains(otype,"sha512"),observable,)

    event.fileHash=__ifTrueThenElse(__contains(otype,"uuid"),observable,)

    event.deviceCustomNumber1Label=__stringConstant("Score")

    event.deviceCustomNumber1=__safeToRoundedLong(score)

    event.deviceCustomNumber2Label=__stringConstant("asn")

    event.deviceCustomNumber2=__oneOfLong(asn)

    event.deviceCustomString1Label=__stringConstant("Sources")

    event.deviceCustomString1=__toLowerCase(producer)

    event.deviceCustomString2Label=__stringConstant("Reference")

    event.deviceCustomString2=altid

    event.deviceCustomString3Label=__stringConstant("Indicator Types")

    event.deviceCustomString3=indicatorType

    event.deviceCustomString4Label=__stringConstant("Related Data")

    event.deviceCustomString4=rdata

    event.deviceCustomString5Label=__stringConstant("Description")

    event.deviceCustomString5=description


    event.deviceProduct=__stringConstant("CIF")

    event.deviceVendor=__getVendor("Threat Intel")

    event.deviceVersion=__getVendor("2.1")


    Thanks for the help.