This list is meant to cover free and open source security feed options. A share of the entries will be managed by private companies that have premium, or at least closed-source, offerings as well. We will try to keep our own tally of some of the better open source threat intelligence feeds below, regularly updating it with new feeds and more details about each one. Being an actively updated database doesn’t guarantee that it is a highly reliable or detailed one either, as some of the best online haven’t necessarily been updated in a few months. While these collections are plentiful, there are some that are better than others. Open source threat intelligence feeds can be extremely valuable-if you use the right ones. Widely available online, these feeds record and track IP addresses and URLs that are associated with phishing scams, malware, bots, trojans, adware, spyware, ransomware and more. Hopefully this helps show how these platforms can be linked to help consolidate threat data and bring a consolidated feed into RSA NetWitness for alerting and enrichment.Threat intelligence feeds are a critical part of modern cybersecurity.
Alien vault otx update#
Update your timing for queries in STAXX to get the latest data and stay within any API query limits on your data sources, as well as the script to pull indicators which should be put in a crontab to schedule the pull as well as the schedule to pull that csv into NetWitness.Ģ2 4 * * * /root/nw-scripts/rsa-anomali-staxx-script/anomali-staxx.py > /var/www/html/anomalistaxxfeed.csv
Now that we have data we can push the feed to all the decoders and log decoders in an environment (using service groups helps keep everything in sync).Īnd once you have some test logs or packets to trigger the events to see if you have a working pipeline then you should get some meta like this. This is the mapping that was used in this example
Now create the script and map the fields that are relevant to metakeys. The query can be updated to include indicators that are relevant to you. Query = "(severity=medium OR severity=high OR severity=very-high) AND itype='mal_ip'" The filter in the script included looks for the following criteria to reduce the data brought in to just what is required and relevant
Then the feed was created with recurring option to poll the csv (either hosted locally on the web root directory or on remote server) These metakeys were added to the index-concentrator-custom.xml This was a good time to add a few more metakeys that could be useful for use specifically with threat intel data to bring more context to events. So a script was needed, with a little help from the Anomali community I was able to come up with a functioning script that pulls out a filtered set of data from STAXX and outputs a CSV for use as a feed in RSA NetWitness. Next step, lets see if we can pull that data out of Anomali and into NetWitness Suite.įirst problem, this being the free version apparently STAXX can only be used as a TAXII client and not a server so i cannot leverage the upcoming TAXII client functions of NW11 to pull from STAXX with TAXII (and 10.6 doesn't provide TAXII). Registering for Alienvault OTX and IBM X-Force along with a few other sources of data allowed me to subscribe and test out the TAXII integration
Alien vault otx full#
We already have an integration posted for the full package but what if users wanted to leverage the free version?Īfter setting up the VM ( 2.6 as of this writing auto-updated to 3.0 and still working) the next step was adding TAXII sources of threat data to see how the pipeline worked. Anomali STAXX is the free version of the Anomali Threatstream threat intel platform.Īfter playing with Soltra Edge I figured this would be a good next step to see if it could be integrated with RSA NetWitness Suite.
0 kommentar(er)
