Frequent Visitor.. robert.mustard
Frequent Visitor..
306 views

stix and taxii integrations

Jump to solution

From the the Threat - Intel market place - https://marketplace.microfocus.com/arcsight/content/l1-threat-intelligence

It links to a solution for stix and taxii integration - https://sec.microfocus.com/foswiki/pub/ArcSightActivate/L1ThreatIntelligence/STIX-TAXII_Install_and_Configure_for_ArcSight.pdf

It references installing from arcsight_stix_taxii.zip

I might be missing something simple, but I am not seeing reference as to where this package can be obtained.

Has anyone gone through this solution?  I am not finding this one talked about on protect, but it does link from an official marketplace article.

 

I have looked around the web and protect and found reference to another similar solution that I will also investigate, but wondering if I am missing something from the above.

Other solution found elsewhere on protect as well.

https://github.com/kissotdragon/stix_ArcSight

 

0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: stix and taxii integrations

Jump to solution

Hi Robert,

The client and documentation can be found here: https://sec.microfocus.com/foswiki/bin/view/ArcSightActivate/L1ThreatIntelligence

Direct link to the Documentation: https://sec.microfocus.com/foswiki/pub/ArcSightActivate/L1ThreatIntelligence/STIX-TAXII_Install_and_Configure_for_ArcSight.pdf 

And the Client: https://sec.microfocus.com/foswiki/pub/ArcSightActivate/L1ThreatIntelligence/arcsight_stix_taxii.zip

The STIX/TAXII client can be installed with pip, the installation instructions and how to use it, are in the documentation, please let me know if you have any issues installing or using the client.

This client is for STIX/TAXII V 1.1 (Please let me know if you need v2)

 

Best Regards,

Bart

14 Replies
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: stix and taxii integrations

Jump to solution

Hi Robert,

The client and documentation can be found here: https://sec.microfocus.com/foswiki/bin/view/ArcSightActivate/L1ThreatIntelligence

Direct link to the Documentation: https://sec.microfocus.com/foswiki/pub/ArcSightActivate/L1ThreatIntelligence/STIX-TAXII_Install_and_Configure_for_ArcSight.pdf 

And the Client: https://sec.microfocus.com/foswiki/pub/ArcSightActivate/L1ThreatIntelligence/arcsight_stix_taxii.zip

The STIX/TAXII client can be installed with pip, the installation instructions and how to use it, are in the documentation, please let me know if you have any issues installing or using the client.

This client is for STIX/TAXII V 1.1 (Please let me know if you need v2)

 

Best Regards,

Bart

Frequent Visitor.. robert.mustard
Frequent Visitor..

Re: stix and taxii integrations

Jump to solution

Thank you Bart

That direct link to the client is what I was missing, and after fixing up some missing dependancy with python subprocess , I was able to install it ok.

0 Likes
Anson89
New Member.

Re: stix and taxii integrations

Jump to solution

Hi Bart,

Would you be able to share the client that supports STIX/TAXII v2.0?

Thank you.

 

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: stix and taxii integrations

Jump to solution

Hello,

Please send an email to arcsightmarketplace@microfocus.com

 

Thanks,

Bart

0 Likes
JonKo Frequent Contributor.
Frequent Contributor.

Re: stix and taxii integrations

Jump to solution

Hi there,

I was wondering if I could get a copy of V2 please?

What are the new features with the latest version?

Has anyone had any luck with MISP to ArcSight ESM integration?

Many thanks in advance.

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: stix and taxii integrations

Jump to solution

Hello @JonKo ,

The version 2 support STIX/TAXII V2, V2 will translate the patterns to indicators.

Please send an email to arcsightmarketplace@microfocus.com if you need version 2

We are currently developing a Model Import Connector and a Threat Intelligence package for MISP which will be part of the default content.

JonKo Frequent Contributor.
Frequent Contributor.

Re: stix and taxii integrations

Jump to solution
Thank you for the quick response.
That sounds like excellent news. Is there any timeframe on when the MISP package will be coming out?
0 Likes
JonKo Frequent Contributor.
Frequent Contributor.

Re: stix and taxii integrations

Jump to solution

Hi @Bart Otten,

Do you guys have any samples of connecting to the limo service provided by Anomali by any chance, please?

I keep on getting errors trying both TAXII V1.0 and 2.0.

 

If anyone else might have answers, I will appreciate it.

Thanks!

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: stix and taxii integrations

Jump to solution

Hi @JonKo ,

Can you please share the error message?

 

Thanks,

Bart Otten

0 Likes
JonKo Frequent Contributor.
Frequent Contributor.

Re: stix and taxii integrations

Jump to solution

Hi @Bart Otten,

Thank you for the quick response. Please see below. I use the correct username/password combo. I keep getting the "401 Client Error: UNAUTHORIZED for url:" using that syntax.

For V1.0 I keep getting resolving errors. Which I will look into more.

 

misp@misp:~$ arcsight-taxii-client2 --url https://limo.anomali.com/taxii/ --auth basic --username guest --password --collections
Password:
2019-07-19 18:08:17,567 : CRITICAL : Error occurred while running client, see log file for debug information
misp@misp:~$ tail arcsight_stix_taxii.log
self._ensure_loaded()
File "/home/misp/.local/lib/python3.6/site-packages/taxii2client/__init__.py", line 824, in _ensure_loaded
self.refresh()
File "/home/misp/.local/lib/python3.6/site-packages/taxii2client/__init__.py", line 858, in refresh
response = self.__raw = self._conn.get(self.url)
File "/home/misp/.local/lib/python3.6/site-packages/taxii2client/__init__.py", line 941, in get
resp.raise_for_status()
File "/home/misp/.local/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: https://limo.anomali.com/api/v1/taxii2/taxii/
misp@misp:~$

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: stix and taxii integrations

Jump to solution

Hi @JonKo ,

Please try:

arcsight-taxii-client2 --url https://limo.anomali.com/api/v1/taxii2/taxii/ --auth basic --username guest --password --collections

Looks like https://limo.anomali.com/taxii/ redirects you to https://limo.anomali.com/api/v1/taxii2/taxii/ will take a look and see if we can modify this.

 

Thanks,

0 Likes
JonKo Frequent Contributor.
Frequent Contributor.

Re: stix and taxii integrations

Jump to solution

Hi @Bart Otten,

Thank you!!! That worked very well, until...

misp@misp:~$ arcsight-taxii-client2 --url https://limo.anomali.com/api/v1/taxii2/taxii/ --auth basic --username guest --password --collection CyberCrime --output /home/misp/stix_taxii/ --active-list
Password:
2019-07-19 18:43:03,651 : INFO : Downloading collection: CyberCrime
2019-07-19 18:43:03,652 : INFO : Writing CSV files in Activate Threat Intelligence Active Lists Format
2019-07-19 18:43:03,656 : INFO : Writing data to : /home/misp/stix_taxii/suspicious_entities_0w3ay446.csv
2019-07-19 18:43:03,658 : INFO : Writing data to : /home/misp/stix_taxii/suspicious_addresses_3cxkuewb.csv
2019-07-19 18:43:07,815 : CRITICAL : Error occurred while running client, see log file for debug information
misp@misp:~$ tail arcsight_stix_taxii.log
for stix_object in STIXClient2(taxii.get_collection(collection)).get_indicators():
File "/home/misp/.local/lib/python3.6/site-packages/arcsight_stix_taxii/clients/stix_client2.py", line 110, in get_indicators
for related_to in self._collection_source.related_to(indicator, source_only=True):
File "/home/misp/.local/lib/python3.6/site-packages/stix2/datastore/__init__.py", line 396, in related_to
rels = self.relationships(obj, relationship_type, source_only, target_only)
File "/home/misp/.local/lib/python3.6/site-packages/stix2/datastore/__init__.py", line 366, in relationships
results.extend(self.query(filters + [Filter('source_ref', '=', obj_id)]))
File "/home/misp/.local/lib/python3.6/site-packages/stix2/datastore/taxii.py", line 290, in query
all_data = self.collection.get_objects(**taxii_filters_dict)['objects']
KeyError: 'objects'
misp@misp:~$

 

I am going to try a different collection to see if that makes any difference.

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: stix and taxii integrations

Jump to solution

Hi @JonKo ,

Looks like this is a bug, will look into this and post an update here.

Thanks!

0 Likes
JonKo Frequent Contributor.
Frequent Contributor.

Re: stix and taxii integrations

Jump to solution

@Bart Otten, thank you for your help. Looking forward to seeing a solution.

The limo service seems to be a lot more up-to-date than the hailataxii one. So would be very useful to get it working.

Thanks again.

Jon 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.