Intel TAXII Feed Introduction
So, does anybody know what happened to April? Because it’s already almost over. ANYWAY, I’m here to introduce you to the MalWerewolf Intel TAXII Feed! We’ve been poking at some ideas for storing indicators and figured this may be the best route for sharing that data.
What are we using to store the data?
- We are using Soltra which can be downloaded at https://soltra.com/ and has a free version which is very simple to setup.
What can we do with Soltra?
- The in short of what we will be using Soltra for is indicator management with a bit of attribution. This will allow us to identify similarities in tools and techniques and be able to relate that data to campaigns and potentially infrastructure. Below is an example of the data you should expect to see.
How can you access the repository?
- Soltra provides the ability to share the data from our repo via a TAXII service. For a direct look at TAXII, check out https://taxiiproject.github.io/. Any threat intel aggregator which allows you to query a TAXII service will be sufficient however below is the steps to add our repo via Soltra.
Click on Admin > Sites > Directory Lookup > Add a Site
Site Description : MalWerewolf
Login : guest/guest
Discovery URL : https://intelfeed.malwerewolf.com/taxii-discovery-service
If you have any difficulty with the process of getting synced up to the repo, please contact me directly at firstname.lastname@example.org and we will get everything sorted out. As we get the overall access properly setup, there may be some data that doesn’t get pulled but this should get worked out fairly quickly. As we push more of our information to the repo, we will get a post together about how we are utilizing some of the categories. Our end goal is to only be providing data that we have confirmed is something you will want to look for in your environment and, if interested, provide a secondary feed strictly for whitelisted or strictly observed data.