After playing with Soltra Edge I figured this would be a good next step to see if it could be integrated with RSA NetWitness Suite. We already have an integration posted for the full package but what if users wanted to leverage the free version?
After setting up the VM (2.6 as of this writing auto-updated to 3.0 and still working) the next step was adding TAXII sources of threat data to see how the pipeline worked.
Registering for Alienvault OTX and IBM X-Force along with a few other sources of data allowed me to subscribe and test out the TAXII integration
Now I had data in Anomali STAXX
which i could dig into a see the details
Next step, lets see if we can pull that data out of Anomali and into NetWitness Suite.
First problem, this being the free version apparently STAXX can only be used as a TAXII client and not a server so i cannot leverage the upcoming TAXII client functions of NW11 to pull from STAXX with TAXII (and 10.6 doesn't provide TAXII). So a script was needed, with a little help from the Anomali community I was able to come up with a functioning script that pulls out a filtered set of data from STAXX and outputs a CSV for use as a feed in RSA NetWitness.
Now that we have data we can push the feed to all the decoders and log decoders in an environment (using service groups helps keep everything in sync).
And once you have some test logs or packets to trigger the events to see if you have a working pipeline then you should get some meta like this.
Update your timing for queries in STAXX to get the latest data and stay within any API query limits on your data sources, as well as the script to pull indicators which should be put in a crontab to schedule the pull as well as the schedule to pull that csv into NetWitness.