Another TAXII Query

%3CLINGO-SUB%20id%3D%22lingo-sub-1566756%22%20slang%3D%22en-US%22%3EAnother%20TAXII%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1566756%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20set%20up%20a%20TAXII%20data%20source%20and%20TI%20with%20some%20success.%20I'm%20curious%3B%20how%20often%20does%20the%20TAXII%20connector%20reach%20out%20to%20Anomali%20(or%20any%20other%20provider)%20and%20refresh%20the%20data%3F%20Shouldn't%20this%20happen%20on%20a%20regular%2C%20periodic%20basis%3F%20I%20don't%20see%20any%20settings%20to%20configure%20how%20often%20to%20make%20the%20query%20and%20update%20the%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20gone%20through%20these%20two%20threads%20but%20didn't%20see%20the%20answer%20I'm%20looking%20for.%20Thanks%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Funable-to-get-feed-from-anomali-servers-12-hours%2Fm-p%2F1539936%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Funable-to-get-feed-from-anomali-servers-12-hours%2Fm-p%2F1539936%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Ftiindicators-not-showing-up-in-threatintelligenceindicator-logs%2Fm-p%2F1538560%2Fhighlight%2Ffalse%23M2075%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Ftiindicators-not-showing-up-in-threatintelligenceindicator-logs%2Fm-p%2F1538560%2Fhighlight%2Ffalse%23M2075%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1572448%22%20slang%3D%22en-US%22%3ERe%3A%20Another%20TAXII%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1572448%22%20slang%3D%22en-US%22%3E%3CP%3EHere's%20a%20visual%20representation.%20We%20set%20it%20up%2C%20it%20pulls%20data%20once%2C%20and%20then%20doesn't%20pull%20or%20try%20to%20update%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1573743%22%20slang%3D%22en-US%22%3ERe%3A%20Another%20TAXII%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1573743%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F744641%22%20target%3D%22_blank%22%3E%40JKatzmandu%3C%2FA%3E%26nbsp%3BWe%20have%20support%20tickets%20open%20with%20MS%20on%20the%20similar%20issue.%20I%20don't%20think%20it's%20a%20TAXII%20issue.%20It's%20a%20TI%20logging%20issue.%20We%20can%20generate%20new%20IOCs%20in%20the%20TiIndicators%20via%20the%20api%2C%20but%20they%20dont%20always%20show%20up%20in%20the%20logs.%20Something%20is%20not%20working%20for%20sure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1802636%22%20slang%3D%22en-US%22%3ERe%3A%20Another%20TAXII%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1802636%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552625%22%20target%3D%22_blank%22%3E%40JBUB_Arbala%3C%2FA%3E%20Do%20you%20have%20more%20information%20out%20of%20the%20support%20ticket%3F%20We%20are%20facing%20similar%20issues%2C%20I%20see%20the%20indicators%20on%20the%20Threat%20intelligence%20page%20but%20not%20in%20the%20Log.%20Also%20in%20the%20TAXII%20connector%20the%20Last%20Log%20Received%20is%20--%20I%20think%20somithing%20is%20still%20not%20working%20as%20expected...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1860722%22%20slang%3D%22en-US%22%3ERe%3A%20Another%20TAXII%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1860722%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F840352%22%20target%3D%22_blank%22%3E%40lwallimann%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20a%20few%20of%20my%20customers%20things%20seem%20to%20be%20magically%20working%20on%20their%20own.%20At%20least%20some%20of%20the%20data%20has%20an%20%22expiration%20date%22%20as%20a%20field%20and%20it%20gets%20updates%20over%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello everyone!

 

We've set up a TAXII data source and TI with some success. I'm curious; how often does the TAXII connector reach out to Anomali (or any other provider) and refresh the data? Shouldn't this happen on a regular, periodic basis? I don't see any settings to configure how often to make the query and update the data.

 

I've gone through these two threads but didn't see the answer I'm looking for. Thanks:
https://techcommunity.microsoft.com/t5/azure-sentinel/unable-to-get-feed-from-anomali-servers-12-hou...
https://techcommunity.microsoft.com/t5/azure-sentinel/tiindicators-not-showing-up-in-threatintellige...

4 Replies

Here's a visual representation. We set it up, it pulls data once, and then doesn't pull or try to update at all.

 

 

@JKatzmandu We have support tickets open with MS on the similar issue. I don't think it's a TAXII issue. It's a TI logging issue. We can generate new IOCs in the TiIndicators via the api, but they dont always show up in the logs. Something is not working for sure.

@JBUB_Arbala Do you have more information out of the support ticket? We are facing similar issues, I see the indicators on the Threat intelligence page but not in the Log. Also in the TAXII connector the Last Log Received is -- I think somithing is still not working as expected...

@lwallimann 

 

With a few of my customers things seem to be magically working on their own. At least some of the data has an "expiration date" as a field and it gets updates over time.