Aug 05 2020 01:17 AM
Hello everyone!
We've set up a TAXII data source and TI with some success. I'm curious; how often does the TAXII connector reach out to Anomali (or any other provider) and refresh the data? Shouldn't this happen on a regular, periodic basis? I don't see any settings to configure how often to make the query and update the data.
I've gone through these two threads but didn't see the answer I'm looking for. Thanks:
https://techcommunity.microsoft.com/t5/azure-sentinel/unable-to-get-feed-from-anomali-servers-12-hou...
https://techcommunity.microsoft.com/t5/azure-sentinel/tiindicators-not-showing-up-in-threatintellige...
Aug 07 2020 01:01 AM
Here's a visual representation. We set it up, it pulls data once, and then doesn't pull or try to update at all.
Aug 07 2020 12:28 PM
@JKatzmandu We have support tickets open with MS on the similar issue. I don't think it's a TAXII issue. It's a TI logging issue. We can generate new IOCs in the TiIndicators via the api, but they dont always show up in the logs. Something is not working for sure.
Oct 21 2020 02:01 AM
Nov 06 2020 05:14 AM
With a few of my customers things seem to be magically working on their own. At least some of the data has an "expiration date" as a field and it gets updates over time.