This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L1-Threat Intelligence - Indicators and Warnings

This is the official forum for discussing the basic ArcSight Activate L1-Threat Intelligence - Indicators and Warnings package, as described in the Activate Wiki.

Version 1.1.0.0 TI: (L1-Threat_Intelligence_-_Indicators_and_Warnings_1.1.0.0.arb)

Modified Resources:

/All Rules/ArcSight Activate/Solutions/Threat Intelligence/Indicators and Warnings/Populate Suspicious Address List

--
Prentice S. Hayes
Principal Product Manager | Security Operations
OpenText Cybersecurity

LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

Website: https://www.opentext.com/

  • 0

    Commenting here to mirror my issue on github.

    When I Tried to use the latest 1.1 install of this package and getting errors for the Active List Capacity.

    Locally, I modified the following values from 1500000 to 1000000 and it worked.

    Expanding the Suspect Address and another suspect list have these increased values.

  • 0  

    Hi Mike,

        Before installing TI 1.1, was the server.properties file updated with the below line?

    #Increase the active list maximum capacity
    activelist.max_capacity=1500000

    Thanks,

    Teju

  • 0

    Teju,

    No, If that direction was in the instructions it was not changed from the defaults as this was but for the sorting property a straight up new install.

  • 0

    Unable to install Whois from initial command.  Anyone else have this error?

    Configuring Net-Abuse-Utils-0.24 ... OK

    ==> Found dependencies: Net::Whois::IP

    --> Working on Net::Whois::IP

    Fetching https://cpan.metacpan.org/authors/id/B/BS/BSCHMITZ/Net-Whois-IP-1.19.tar.gz ... OK

    Configuring Net-Whois-IP-1.19 ... OK

    Building and testing Net-Whois-IP-1.19 ... FAIL

    ! Installing Net::Whois::IP failed. See /home/cifuser/.cpanm/work/1489079713.3373/build.log for details. Retry with --force to force install it.

    ! Installing the dependencies failed: Module 'Net::Whois::IP' is not installed

    ! Bailing out the installation for Net-Abuse-Utils-0.24.

  • 0

    Also what OS is required?  The text stats Ubuntu 14 TLS but i cannot find that download. Do you mean LTS?​

  • 0  

    Hey ​,

    I would guess that this is a typo. I didn't write this, you would need to check with ​, ​, or ​. It might also be from the CIF documentation.

    Hope this helps,

    --

    Prentice

    --
    Prentice S. Hayes
    Principal Product Manager | Security Operations
    OpenText Cybersecurity

    LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

    Website: https://www.opentext.com/

  • 0

    John,

    I'm so sorry...that is indeed a typo. It's LTS. If you have any questions or hit any snags, feel free to contact me directly.

    George

    gboitano@semplicityinc.com

  • 0

    Thanks George,

    Just sent you an email.

    Ran into some issues when installing the CIF server.  It appears the Net::Whois::IP failed to install which caused the entire install to quit.  I tried running the second command but got an cannot access – no such file or directory.

  • 0

    Hi all,

    Just starting to try this package with limited success.  It seems the events are feeding upstream but are not parsing correctly. I suspect our source CSV output file(s) from the CIF may be messed up.  Is there a working example of a known good CSV file that we can use as a sanity check / model? 

    BTW, the config screencap (config.png) in the wiki instructions at Step 5 does not appear to be available.....? 

    Any feedback appreciated

    Thanks.....

  • 0

    Hi Randy,

    I attached the sample CSV file in the wiki instruction at Step5. Please let me know if you need more info.

    Thanks,

    Dat