Forum Discussion
Another TAXII Query
Hello everyone!
We've set up a TAXII data source and TI with some success. I'm curious; how often does the TAXII connector reach out to Anomali (or any other provider) and refresh the data? Shouldn't this happen on a regular, periodic basis? I don't see any settings to configure how often to make the query and update the data.
I've gone through these two threads but didn't see the answer I'm looking for. Thanks:
https://techcommunity.microsoft.com/t5/azure-sentinel/unable-to-get-feed-from-anomali-servers-12-hours/m-p/1539936
https://techcommunity.microsoft.com/t5/azure-sentinel/tiindicators-not-showing-up-in-threatintelligenceindicator-logs/m-p/1538560/highlight/false#M2075
4 Replies
JKatzmandu We have support tickets open with MS on the similar issue. I don't think it's a TAXII issue. It's a TI logging issue. We can generate new IOCs in the TiIndicators via the api, but they dont always show up in the logs. Something is not working for sure.
- JBUB_Accelerynt Do you have more information out of the support ticket? We are facing similar issues, I see the indicators on the Threat intelligence page but not in the Log. Also in the TAXII connector the Last Log Received is -- I think somithing is still not working as expected...
With a few of my customers things seem to be magically working on their own. At least some of the data has an "expiration date" as a field and it gets updates over time.
Here's a visual representation. We set it up, it pulls data once, and then doesn't pull or try to update at all.
