Do you have feedback on our new interface?
Do you have feedback on our new interface? Let us know HERE
Micro Focus Contributor
Micro Focus Contributor
1674 views

Announcing STIX/TAXII Support in the Activate Threat Intelligence Solution

When we met at Protect in September, you were pretty clear that adding STIX/TAXII support to the Activate Threat Intelligence package should be a priority. Today, we are happy to announce the first release of this support, enabling you to take advantage of the Activate Threat Intelligence use cases by integrating your STIX/TAXII server of choice.

Here are the highlights of the current release:

  • Configure the new Activate STIX/TAXII script to point to any STIX1.2/TAXII 1.1 compliant TAXII Server.   We tested with “hail a taxi”, Anomali Limo, and, AlienVault OTX.
  • The STIX/TAXII script populates the existing Activate Threat Intelligence Active Lists with all of the STIX Indicators in all the TAXII Collections at that server.
  • The Activate Threat Intelligence Use Cases work exactly as before, without any change.

Upcoming releases will focus on at least the following big items:

  • Extend support to more advanced objects in the STIX model; in particular Campaigns, Threat Actors, and TTPs. With the fuller STIX model inside ESM, we can give Analysts this richer context to work with when conducting alert triage. 
  • Enable bi-directional sharing of threat intelligence be allowing the push of STIX objects to the TAXII server.

As a community driven effort, we value your feedback and contributions to improve our STIX/TAXII support in ArcSight.

Start your exploration of the latest Activate Threat Intelligence solution here.

0 Likes
6 Replies
Contributor.. Ramesh2 Contributor..
Contributor..

Re: Announcing STIX/TAXII Support in the Activate Threat Intelligence Solution

Can someone please provide the script for Anomali Limo, password is not being accepted by the phyton client.

 

C:\arcsight-taxii-client limo.anomali.com /api/v1/taxii/taxii-discovery-service/ --auto --auth basic --username guest --password guest --poll Malware_Dom

ain_List___Hotlist_F200 --begin 2018-05-01 --end 2018-07-08 --output E:\Logs

usage: arcsight-taxii-client [-h] [--port PORT]

                             [--discover | --collection | --poll POLL | --stix-file STIX_FILE]

                             [--begin BEGIN] [--end END]

                             [--today | --days DAYS | --hours HOURS]

                             [--no-https] [--proxy PROXY] [--auth {basic}]

                             [-u USERNAME] [-p] [--key-file KEY_FILE]

                             [--cert-file CERT_FILE]

                             [--itype ITYPE | --use-ttp USE_TTP]

                             [--producer PRODUCER] [--score SCORE]

                             [--confidence {low,medium,high}]

                             [--tlp-color {white,green,amber,red}]

                             [--group GROUP] [--relevance RELEVANCE]

                             [--reference REFERENCE]

                             [--reference_tlp {white,green,amber,red}]

                             [--conf CONF] [--output OUTPUT] [--log LOG]

                             [--auto] [--memory] [--us-cert] [--active-list]

                             [--cifv2] [--create-config CREATE_CONFIG]

                             [--silent | --debug] [-s {stixtaxii,cifv2}] [-v]

                             [hostname] [path]

arcsight-taxii-client: error: unrecognized arguments: guest

0 Likes
Contributor.. Ramesh2 Contributor..
Contributor..

Re: Announcing STIX/TAXII Support in the Activate Threat Intelligence Solution

Can someone please provide the script for Anomali Limo, password is not being accepted by the phyton client.

 

C:\arcsight-taxii-client limo.anomali.com /api/v1/taxii/taxii-discovery-service/ --auto --auth basic --username guest --password guest --poll Malware_Dom

ain_List___Hotlist_F200 --begin 2018-05-01 --end 2018-07-08 --output E:\Logs

usage: arcsight-taxii-client [-h] [--port PORT]

                             [--discover | --collection | --poll POLL | --stix-file STIX_FILE]

                             [--begin BEGIN] [--end END]

                             [--today | --days DAYS | --hours HOURS]

                             [--no-https] [--proxy PROXY] [--auth {basic}]

                             [-u USERNAME] [-p] [--key-file KEY_FILE]

                             [--cert-file CERT_FILE]

                             [--itype ITYPE | --use-ttp USE_TTP]

                             [--producer PRODUCER] [--score SCORE]

                             [--confidence {low,medium,high}]

                             [--tlp-color {white,green,amber,red}]

                             [--group GROUP] [--relevance RELEVANCE]

                             [--reference REFERENCE]

                             [--reference_tlp {white,green,amber,red}]

                             [--conf CONF] [--output OUTPUT] [--log LOG]

                             [--auto] [--memory] [--us-cert] [--active-list]

                             [--cifv2] [--create-config CREATE_CONFIG]

                             [--silent | --debug] [-s {stixtaxii,cifv2}] [-v]

                             [hostname] [path]

arcsight-taxii-client: error: unrecognized arguments: guest

0 Likes
Respected Contributor.. Stephen Kreusch Respected Contributor..
Respected Contributor..

Re: Announcing STIX/TAXII Support in the Activate Threat Intelligence Solution

Instead of:

C:\arcsight-taxii-client limo.anomali.com /api/v1/taxii/taxii-discovery-service/ --auto --auth basic --username guest --password guest --poll Malware_Domain_List___Hotlist_F200 --begin 2018-05-01 --end 2018-07-08 --output E:\Logs

Try:

C:\arcsight-taxii-client limo.anomali.com /api/v1/taxii/taxii-discovery-service/ --auto --auth basic --username guest --password --poll Malware_Domain_List___Hotlist_F200 --begin 2018-05-01 --end 2018-07-08 --output E:\Logs

arcsight-taxii-client does not accept the password on the command line.  The second version will prompt you for the password.

If this works, then you can create a config file using --create-config, edit the config file and input the password, then use the config file with arcsight-taxii-client --conf.

Regards

Stephen

0 Likes
nicholas.hernic Frequent Contributor.
Frequent Contributor.

Re: Announcing STIX/TAXII Support in the Activate Threat Intelligence Solution

Stephen, question from someone related to your discussions :

 

"I did as what Stephen instructed below, it works when doing it manually in CLI after the password prompt.

 

The issue comes when using the config file. Got the following error:

 

 

2018-08-08 11:53:07,331 : arcsight_stix_taxii : INFO : Writing configuration file to: anomali.co

nf

2018-08-08 11:53:42,930 : arcsight_stix_taxii : INFO : Using configuration file.

2018-08-08 11:53:42,931 : arcsight_stix_taxii : CRITICAL : Error occurred while running client,

see log file for debug information

2018-08-08 11:53:42,931 : arcsight_stix_taxii : DEBUG : Error occurred while running client: 'li

st' object has no attribute 'split'

Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/arcsight_stix_taxii/client.py", line 734, in main

    begin_date=begin_date, end_date=end_date)

  File "/usr/lib/python2.7/site-packages/arcsight_stix_taxii/client.py", line 287, in read_confi

g

    collections = collections.split(',')

AttributeError: 'list' object has no attribute 'split'

 

Attached is the config file created. Can you check with him what could be the issue?

 

Thanks

Orson"

 

0 Likes
nicholas.hernic Frequent Contributor.
Frequent Contributor.

Re: Announcing STIX/TAXII Support in the Activate Threat Intelligence Solution

Here is related config file created that has issue :

 

[app]
us-cert = False
memory = False
cleanup = True

[server]
hostname = limo.anomali.com
port = None
path = /api/v1/taxii/taxii-discovery-service/
https = True
auth_type = basic
username = guest
password = guest
collections = Malware_Domain_List___Hotlist_F200
auto = True
proxy = None
begin_date = 2018-08-01
end_date = 2018-08-08

[csv]
order = otype,observable,itype,firstdetecttime,lastdetecttime,score,confidence,source,relevance,
description_or_title,reference
datetime_format = %Y-%m-%d %H:%M:%S %z
output = /opt/arcsight/stix_taxii/
itype = suspicious
ttp_option = type
score = 50
confidence = low
tlp_color = white
group = everyone
relevance =
reference =
reference_tlp = white
activelist = False
cifv2 = False
campaigns = False
related_objects = False

0 Likes
Respected Contributor.. Stephen Kreusch Respected Contributor..
Respected Contributor..

Re: Announcing STIX/TAXII Support in the Activate Threat Intelligence Solution

Yes, this is the same error I'm experiencing, and posted about yesterday at https://community.softwaregrp.com/t5/ArcSight-User-Discussions/arcsight-taxii-client-Python-error-AttributeError-list-object/m-p/1660462

I also opened a Service Request regarding this, SD02257003.

I'll post any feedback I get from Support.

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.