prentice@hpe.co Honored Contributor.
Honored Contributor.
2664 views

L1-Threat Intelligence - Indicators and Warnings

This is the official forum for discussing the basic ArcSight Activate L1-Threat Intelligence - Indicators and Warnings package, as described in the Activate Wiki.

Version 1.1.0.0 TI: (L1-Threat_Intelligence_-_Indicators_and_Warnings_1.1.0.0.arb)

Modified Resources:

/All Rules/ArcSight Activate/Solutions/Threat Intelligence/Indicators and Warnings/Populate Suspicious Address List

Labels (2)
51 Replies
mike_of_many Trusted Contributor.
Trusted Contributor.

Re: L1-Threat Intelligence - Indicators and Warnings

Commenting here to mirror my issue on github.

When I Tried to use the latest 1.1 install of this package and getting errors for the Active List Capacity.

Locally, I modified the following values from 1500000 to 1000000 and it worked.

Expanding the Suspect Address and another suspect list have these increased values.

0 Likes
Super Contributor.. ejsimon Super Contributor..
Super Contributor..

Re: L1-Threat Intelligence - Indicators and Warnings

I tried the 1.3 version on both ESM 6.8 patch 4 and ESM 7.0 patch 2 and received the same error about Active list too large.  

How did you modified the following values from 1500000 to 1000000 for the Active lists without being able to install it?

Thanks,

Eric

 

 

 

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: L1-Threat Intelligence - Indicators and Warnings

Before installing TI 1.3, please update the server.properties file with the below line :

     #Increase the active list maximum capacity
      activelist.max_capacity=1500000

Thanks,

Teju

Micro Focus Contributor
Micro Focus Contributor

Re: L1-Threat Intelligence - Indicators and Warnings

Hi Mike,

    Before installing TI 1.1, was the server.properties file updated with the below line?

#Increase the active list maximum capacity
activelist.max_capacity=1500000

Thanks,

Teju

Highlighted
mike_of_many Trusted Contributor.
Trusted Contributor.

Re: L1-Threat Intelligence - Indicators and Warnings

Teju,

No, If that direction was in the instructions it was not changed from the defaults as this was but for the sorting property a straight up new install.

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: L1-Threat Intelligence - Indicators and Warnings

Unable to install Whois from initial command.  Anyone else have this error?

Configuring Net-Abuse-Utils-0.24 ... OK

==> Found dependencies: Net::Whois::IP

--> Working on Net::Whois::IP

Fetching https://cpan.metacpan.org/authors/id/B/BS/BSCHMITZ/Net-Whois-IP-1.19.tar.gz ... OK

Configuring Net-Whois-IP-1.19 ... OK

Building and testing Net-Whois-IP-1.19 ... FAIL

! Installing Net::Whois::IP failed. See /home/cifuser/.cpanm/work/1489079713.3373/build.log for details. Retry with --force to force install it.

! Installing the dependencies failed: Module 'Net::Whois::IP' is not installed

! Bailing out the installation for Net-Abuse-Utils-0.24.

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: L1-Threat Intelligence - Indicators and Warnings

Also what OS is required?  The text stats Ubuntu 14 TLS but i cannot find that download. Do you mean LTS?

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L1-Threat Intelligence - Indicators and Warnings

Hey ​,

I would guess that this is a typo. I didn't write this, you would need to check with ​, ​, or ​. It might also be from the CIF documentation.

Hope this helps,

--

Prentice

0 Likes
gboitano1 Valued Contributor.
Valued Contributor.

Re: L1-Threat Intelligence - Indicators and Warnings

John,

I'm so sorry...that is indeed a typo. It's LTS. If you have any questions or hit any snags, feel free to contact me directly.

George

gboitano@semplicityinc.com

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: L1-Threat Intelligence - Indicators and Warnings

Thanks George,

Just sent you an email.

Ran into some issues when installing the CIF server.  It appears the Net::Whois::IP failed to install which caused the entire install to quit.  I tried running the second command but got an cannot access – no such file or directory.

0 Likes
Outstanding Contributor.. rtoni1 Outstanding Contributor..
Outstanding Contributor..

Re: L1-Threat Intelligence - Indicators and Warnings

Hi all,

Just starting to try this package with limited success.  It seems the events are feeding upstream but are not parsing correctly. I suspect our source CSV output file(s) from the CIF may be messed up.  Is there a working example of a known good CSV file that we can use as a sanity check / model? 

BTW, the config screencap (config.png) in the wiki instructions at Step 5 does not appear to be available.....? 

Any feedback appreciated

Thanks.....

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.