Forum Discussion

pauldowling_prm's avatar
pauldowling_prm
Copper Contributor
Feb 25, 2021
Solved

TAXII data connector polling

Hi all, last week we set up some TAXII feeds from Anomali Limo, per the https://docs.microsoft.com/azure/sentinel/import-threat-intelligence?WT.mc_id=Portal-fx#adding-threat-indicators-to-azure-sentinel-with-the-threat-intelligence---taxii-data-connector. However, we have not received any IOC feeds yet. "Last indicator received time" is stuck at "--" for all of them. Is there an additional step required to get the TAXII connector to start polling?

 
  • RijutaKapoor's avatar
    RijutaKapoor
    Feb 28, 2021
    Hi, Currently if you connect to the TAXII server by default the lookback period is "Today" which means only the indicators that are added today and moving forward will be imported. Since Anomali Limo server is not updated often, you are not seeing any IOC's being imported from the Limo server.

    With that being said, we are adding a configurable lookback period in a couple of weeks wherein you will be able to select how much back in time do you want to go and import IOC's from the server. The default lookback period will also be updated to "All available indicator" soon which means in the first run when you connect to the server all indicators on the TAXII server will be imported and then moving forward each time the new indicators added will be imported.

1 Reply

  • RijutaKapoor's avatar
    RijutaKapoor
    Icon for Microsoft rankMicrosoft
    Feb 28, 2021
    Hi, Currently if you connect to the TAXII server by default the lookback period is "Today" which means only the indicators that are added today and moving forward will be imported. Since Anomali Limo server is not updated often, you are not seeing any IOC's being imported from the Limo server.

    With that being said, we are adding a configurable lookback period in a couple of weeks wherein you will be able to select how much back in time do you want to go and import IOC's from the server. The default lookback period will also be updated to "All available indicator" soon which means in the first run when you connect to the server all indicators on the TAXII server will be imported and then moving forward each time the new indicators added will be imported.