This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L1-Threat Intelligence - Indicators and Warnings

This is the official forum for discussing the basic ArcSight Activate L1-Threat Intelligence - Indicators and Warnings package, as described in the Activate Wiki.

Version TI: (L1-Threat_Intelligence_-_Indicators_and_Warnings_1.1.0.0.arb)

Modified Resources:

/All Rules/ArcSight Activate/Solutions/Threat Intelligence/Indicators and Warnings/Populate Suspicious Address List

Prentice S. Hayes
Principal Product Manager | Security Operations



  • Hi Community,

    I've install a STIX/TAXII server and tried polling for 1 specific collection. It's currently still running and it has been more than 1 hour now.

    1. Has anyone tried using a Stix/Taxii polling? How long does it usually take to finish one collection?
    2. Is there a minimum specs requirement for the server? Does this affect the performance of the polling?

    Thanks! :) 


  • Actually it depends on the data. which collection are you trying to download? It was working normal when I was using it.


  • First of all, check agent.out.wrapper.log and search for "First event" lines.  If you see something like "First event from [Threat Intel|CIF|..... ] received, it means the parsing is OK. Then check your destination settings on the connector and search relevant logs on the ESM.

    If you don't see "Firs event" message in the logs, you need to check if there is a parsing issue.

  • Hi Mr. Eugene,

    We used a regex flex script and it works. i dont know what the problem of the delimted flex script.



  • Hi Mr. Eugene and Community,

    Have anyone experienced this error?

    We are trying to poll on and the collection name is "EmergingThreats_rules".

    After a few minutes -> The polling stops -> then a csv file was written on the output folder but has no entry -> then an error prompts. (see screenshot below)


    This is what the log file says:

    2018-12-12 10:39:12,586 : arcsight_stix_taxii : DEBUG : Error occurred while running client: list index out of range
    Traceback (most recent call last):
    File "c:\python27\lib\site-packages\arcsight_stix_taxii\", line 837, in main
    File "c:\python27\lib\site-packages\arcsight_stix_taxii\", line 206, in run_poll
    csvout.write(stix_object, **csv_row_options)
    File "c:\python27\lib\site-packages\arcsight_stix_taxii\storage\", line 489, in write
    for otype, row in self.rows(stixobject, **kwargs):
    File "c:\python27\lib\site-packages\arcsight_stix_taxii\storage\", line 359, in rows
    type_ = str(malware_instances.types[0])
    File "c:\python27\lib\site-packages\mixbox\", line 79, in __getitem__
    return self._inner.__getitem__(key)
    IndexError: list index out of range

    Thank you for the support! :)

  • Hi Josh,

    What version of the client do you use?

    arcsight-taxii-client -v




  • First, it's mr_ergene, not eugene :D

    I can poll the feed using following command(limited the data for 7 days and enabled the debug option on the command):

    arcsight-taxii-client /taxii-discovery-service --no-https --auto --auth basic --username guest --poll guest.EmergineThreats_rules --days 7 --output /tmp/ --debug

    My client version is 1.1.3

  • Hello mr_ergene,

    Just to let you know, you are polling the collection guest.EmergineThreats_rules and Josh is polling guest.EmergingThreats_rules

    Both are valid on hailataxii, but I don't know if both collections are the same.

    When I poll both collections and using --days 356, I don't reveice any data can you confirm if this collection is empty, since you are using --days 7



  • Lol, both collections don't have any data for the last year. Probably those collections are not being maintained and have dirty data.

  • Ok thanks.

    Acording to the last update was on Fri May 25 15:18:06 2018 UTC. I checked guest.Abuse_CH and this collection is still up to date.

     The latest version of the ArcSight STIX/TAXII client (v 2.0.0) will have a fix for the error you have. 

    The ArcSight STIX/TAXII version 2 will be soon available, and will also support STIX/TAXII 2.x


  • Hi Bart and Mr. Ergene <sorry for the typo :D>, 

    I am using client v1.3, I tried to update it to the latest version using the command on the guide. I think this is the latest available version.

    I tried to poll both emerging and emergine and both seems to prompt an error. I tried to poll for 7 days it finished with no error but has no entries. You have mentioned that for the last 365 days it is empty, this means that it would be pointless for me to poll the last 365 day. I'll just schedule it to run daily.

    I polled the other collections and finished with no errors (Abuse_ch, CyberCrime_Tracker, MalwareDomainList_Hostlist, dshield_Blocklist)

    Are there other website we call poll from with the arcsight-taxii-client other that you have mentioned that some collections are not maintained, is it reliable? what other site can you refer for us to use?

    Thank you for the support guys! :)

  • Following is a list of some TI feeds I can recommend:
    alienvault OTX
    MISP feeds
    IBM X-force

Reply Children