Anomali STAXX and Hail a Taxii

-
Today we are going to add a new feed to our Anomali Threat Server.  Called Hail a Taxii
Anomali makes this process extremely easy. Login to your Anomali STAXX server
Then click the setting tab in the upper right corner.
This will bring you to the site where you can add your new Feed. As you can see I already have 3 feeds added - the default Limo, Alien Vault OTX, and IBM X-Force.
Click on Add Site in the upper right. The Add New Site Window is launched.

For the Description I've added "Hail A TAXII" and the Discovery location is simply the poll location for Hail A TAXII   "http://hailataxii.com/taxii-discovery-service"  Username: guest  Password: *****
Click on Add Site / Discover (depending on the version you're running)


Once the Discover process is complete your left with several new Feeds to add to your arsenal
I've enabled all the above Feeds and ran a quick Poll. As you can see below we have started to collect Intel "data" from various locations.
Let's head back to our Dashboard. As you can see we are already seeing some Source data coming in.
Let's drill down into an example - in this case, Phish_URL Data. You can do so by simply clicking on the corresponding color in the graph. Below you can see several new phishing links.

I then clicked on one of the sites at random htxxp://ether-*****.us  this gives us a quick glance at more information on this site.  ( Note this launches to Anomali free cloud-based solution https://staxx.anomali.com/detail/domain )


So far I am really liking what Hail a TAXII is bringing to the table as far as feeds go and you cannot beat the price!

Comments

Post a Comment

Popular posts from this blog

Recon Automation with Sub Num Num

-
Image
I'd like to start things off with I am NOT a coder...  .. but I wrote a very simple script to help automate some of my Recon for Sub-domains. Doing this manually is a huge under taking and of course time consuming. This is just the beginning of the horribly named script "Sub Num Num" But what's it do? This script reaches out to cert.sh and certspotter checking for valid sub-domains - next it runs a quick  probe on (80,443) We are then left with valid targets to begin a deeper dive.(Directory brute forcing etc..) You can access the current code here..  https://github.com/atomixgray/subnumnum Installation  (note GoLang is needed for the httprobe) If you have git installed 1.) sudo git clone https://github.com/atomixgray/subnumnum.git 2.) chmod +x subnumnum.sh Lets do a quick hunt on gemini.yahoo.com (There is currently a public bounty on this Sub) Comments and suggestions are more than welcome!
Read more

CyberArk Automation

-
Image
Tonight we are working on some CyberArk automation inside of VsCode.   The building and provisioning of safes can become cumbersome when you're enrolling several hundred users a week. With the help of an amazing PowerShell module by PSPETE  we can make quick work of this. Revision 1.0 of this script will do the following. 1.) Create Users Safe 2.) Add users network account to safe with customizable permissions 3.) Add a local CyberArk support account group with customizable permissions 4.) Add Vault Admin group for more support options with customizable permissions 5.) Add Users (new) Privileged account into their newly created safe. 6.) Run a Reconcile on the account to bring into CyberArk management. .   I will upload everything to  https://github.com/atomixgray/cyberark/  after a little more testing. Revision 2.0 will include an option for bulk uploading users via a CSV file.
Read more