Another TAXII Query

Brass Contributor

Hello everyone!

 

We've set up a TAXII data source and TI with some success. I'm curious; how often does the TAXII connector reach out to Anomali (or any other provider) and refresh the data? Shouldn't this happen on a regular, periodic basis? I don't see any settings to configure how often to make the query and update the data.

 

I've gone through these two threads but didn't see the answer I'm looking for. Thanks:
https://techcommunity.microsoft.com/t5/azure-sentinel/unable-to-get-feed-from-anomali-servers-12-hou...
https://techcommunity.microsoft.com/t5/azure-sentinel/tiindicators-not-showing-up-in-threatintellige...

4 Replies

Here's a visual representation. We set it up, it pulls data once, and then doesn't pull or try to update at all.

 

 

@JKatzmandu We have support tickets open with MS on the similar issue. I don't think it's a TAXII issue. It's a TI logging issue. We can generate new IOCs in the TiIndicators via the api, but they dont always show up in the logs. Something is not working for sure.

@JBUB_Accelerynt Do you have more information out of the support ticket? We are facing similar issues, I see the indicators on the Threat intelligence page but not in the Log. Also in the TAXII connector the Last Log Received is -- I think somithing is still not working as expected...

@lwallimann 

 

With a few of my customers things seem to be magically working on their own. At least some of the data has an "expiration date" as a field and it gets updates over time.