Looking for a way to export the data to an external DB


#1

Hello all,
I’ve just installed the VM and it all seems to be working .
I’m looking for a way to either integrate it with MISP or just copy over the DB to run my own analysis on it.
Is there any way to achieve this ?

THanks


#2

Hi,
To date we have not worked so closely with MISP instances.
That said, there are a number of ways to export data, from the STAXX UI, on the Activity screen you can export Indicators datasets from STAXX in CSV or JSON format. This may be usable against the MISP api’s (but has not been tested by Anomali).
You could also use STAXX’s REST API to export data as well, can I point you to: https://update.anomali.com/staxx/docs/Anomali_STAXX_Installation_&_Administration_Guide_v2.6.pdf (pg 45).

STAXX, within it’s UI, will allow you full access to all the Indicator data you have ingested into the system, you can further pivot on an Indicator into 1 of 3 Anomali platforms, if you have registered and setup an account (Anomali ThreatStream, Staxx Cloud, or Anomali Reports. You can continue your investigation and analysis against a much richer threat data portfolio in these platforms.

What sort of analysis or use cases are you aiming to achieve ?

regards
Declan


#3

Hello ,
Thanks for replying .
We are just exploring the options.
Our goal is to aggregate the data in MISP and connect it to IntelMQ system for further analysis.
We want to use STAXX as one of our data sources.
Once this has been achieved we will run different DB quires to identify attacks where local IPs are either source or destination.
We will also monitor some of the attacks on specific industries to find phishing emails or forged domains for example.

Does STAXX have an easy way to access it’s DB?
If the answer is yes maybe we can setup our analysis queries to work directly with STAXX


#4

There is a way to access the data directly from the DB but it’s not a supported method. It involves using either the built in db dump command or by diving right into postgreSQL, both are xlink’d. Word of caution, all your Indicators exist in each of the 4 main tables, it’s iladvised to try and alter entries on a prod instance until you figure out how it all ties together.


#5

Any recommendations how to connect to the DB ?
What credentials are used ?
I understand it is not supported but any guidance even the basic one will be appreciated.
Thank you


#6

If you execute the command to access the db using sudo it should allow you to connect, similar to when you want to run the status or restart commands.