Anomali STAXX is the free version of the Anomali Threatstream threat intel platform.
After playing with Soltra Edge I figured this would be a good next step to see if it could be integrated with RSA NetWitness Suite. We already have an integration posted for the full package but what if users wanted to leverage the free version?
After setting up the VM (2.6 as of this writing auto-updated to 3.0 and still working) the next step was adding TAXII sources of threat data to see how the pipeline worked.
Registering for Alienvault OTX and IBM X-Force along with a few other sources of data allowed me to subscribe and test out the TAXII integration
Now I had data in Anomali STAXX
which i could dig into a see the details
Next step, lets see if we can pull that data out of Anomali and into NetWitness Suite.
First problem, this being the free version apparently STAXX can only be used as a TAXII client and not a server so i cannot leverage the upcoming TAXII client functions of NW11 to pull from STAXX with TAXII (and 10.6 doesn't provide TAXII). So a script was needed, with a little help from the Anomali community I was able to come up with a functioning script that pulls out a filtered set of data from STAXX and outputs a CSV for use as a feed in RSA NetWitness.
This was a good time to add a few more metakeys that could be useful for use specifically with threat intel data to bring more context to events.
These metakeys were added to the index-concentrator-custom.xml
<key description="Intel Date" level="IndexValues" name="intel.date" format="UInt32" valueMax="5000" defaultAction="Closed"/>
<key description="Intel Confidence" level="IndexValues" name="intel.conf" format="Text" valueMax="5000" defaultAction="Closed"/>
<key description="Intel ID" level="IndexValues" name="intel.id" format="Text" valueMax="5000" defaultAction="Closed"/>
<key description="Intel TLP" level="IndexValues" name="intel.tlp" format="Text" valueMax="100" defaultAction="Closed"/>
<key description="Intel Type" level="IndexValues" name="intel.type" format="Text" valueMax="100" defaultAction="Closed"/>
Then the feed was created with recurring option to poll the csv (either hosted locally on the web root directory or on remote server)
The filter in the script included looks for the following criteria to reduce the data brought in to just what is required and relevant
query = "(severity=medium OR severity=high OR severity=very-high) AND itype='mal_ip'"
The query can be updated to include indicators that are relevant to you.
Now create the script and map the fields that are relevant to metakeys. This is the mapping that was used in this example
ip - column 1
threat.category - itype
severity - severity
threat.source - source
intel.tlp - tlp
Now that we have data we can push the feed to all the decoders and log decoders in an environment (using service groups helps keep everything in sync).
And once you have some test logs or packets to trigger the events to see if you have a working pipeline then you should get some meta like this.
Update your timing for queries in STAXX to get the latest data and stay within any API query limits on your data sources, as well as the script to pull indicators which should be put in a crontab to schedule the pull as well as the schedule to pull that csv into NetWitness.
# anomalistaxx threat feed
22 4 * * * /root/nw-scripts/rsa-anomali-staxx-script/anomali-staxx.py > /var/www/html/anomalistaxxfeed.csv
Hopefully this helps show how these platforms can be linked to help consolidate threat data and bring a consolidated feed into RSA NetWitness for alerting and enrichment.