Hello @sbathla.
We're glad that you're giving the module a try.
I think I might know what your issue with the MISP, OTX, and Anomli feeds is.
MISP
You need to have your own MISP server. MISP is a third-party, open-source, platform. You can check them out here https://www.misp-project.org/. Once you have MISP set up, you can simply update the threatintel.yml
to include your server location and API key.
OTX
AlienVault Open Threat eXchange (OTX) is a cloud threat feed provided by the AlienVault team. Unlike Abuse Malware and Abuse URL, this requires an API key that you can get simply by signing up for the service over at https://otx.alienvault.com. Once you have your API key, you can enter it in threatintel.yml
.
Anomali
There isn't anything that you need to sign up for with Anomali, but their API credentials are commented out by default. You can simply go into threatintel.yml
and remove the #
before var.username: guest
and var.password: guest
.
Of note, Anomali also has multiple feeds that you can subscribe to. We provided a default one, but there other others with various amounts of indicators.
To get those feeds, you can query Limo to get the feed IDs with:
curl -u guest:guest https://limo.anomali.com/api/v1/taxii2/feeds/collections/ | jq
{
"collections": [
{
"can_read": true,
"can_write": false,
"description": "",
"id": "107",
"title": "Phish Tank"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "135",
"title": "Abuse.ch Ransomware IPs"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "136",
"title": "Abuse.ch Ransomware Domains"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "150",
"title": "DShield Scanning IPs"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "200",
"title": "Malware Domain List - Hotlist"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "209",
"title": "Blutmagie TOR Nodes"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "31",
"title": "Emerging Threats C&C Server"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "313",
"title": "DT COVID-19"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "33",
"title": "Lehigh Malwaredomains"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "41",
"title": "CyberCrime"
},
{
"can_read": true,
"can_write": false,
"description": "",
"id": "68",
"title": "Emerging Threats - Compromised"
}
]
}
Taking the ID number, you can update the URL ID to target different feeds.
Example
var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/135/objects?match[type]=indicator
Of note, only 1 var.url
can be used at a time.