Polling the Anomali Weekly Threat Intel Briefing on Limo


#1

I can poll the majority of Limo collections successfully, however I’m unable to fetch anything from the Anomali_Weekly_Threat_Briefing_S1 collection. Does this require a subscription ID? My successful polls with other collections only required a begin/end time range? Is this collection cleared out in the interim between briefings?


#2

Hi there,

I have just carried out a poll on this feed for a length of 365 days and received 400+ indicators. There is no subscription ID needed for this. Can you please share what version of Staxx you are using?

Many thanks,

Darren


#3

My Apologies I’m not using STAXX. I’m using non-STAXX taxii client - cabby.

Python code is as follows and works for all collections except when replacing with the ‘Anomali_Weekly_Threat_Briefing_S1’ collection (poll logic is towards the bottom):


import datetime
import pytz
from cabby import create_client

#begin_date
b = datetime.datetime(2017, 2, 1, 0, 0)
timezone = pytz.timezone(“US/Eastern”)
b_date = timezone.localize(b)

#end_date
e = datetime.datetime.now()
timezone = pytz.timezone(“US/Eastern”)
e_date = timezone.localize(e)

#discover
client = create_client( ‘limo.anomali.com’, use_https=True, discovery_path=’/api/v1/taxii/taxii-discovery-service/’)
client.set_auth(username=‘guest’, password=‘guest’)
services = client.discover_services()

#collections
collections = client.get_collections( uri=‘https://limo.anomali.com/api/v1/taxii/collection_management/’)

#poll
content_blocks = client.poll(collection_name=‘Emerging_Threats___Compromised_F68’,begin_date=b_date,end_date=e_date)
for block in content_blocks:
print(block.content)

Collection Names

#Abuse_ch_Ransomware_IPs_F135
#Abuse_ch_Ransomware_Domains_F136
#DShield_Scanning_IPs_F150
#Lehigh_Malwaredomains_F33
#CyberCrime_F41
#Emerging_Threats_C_C_Server_F31
#Malware_Domain_List___Hotlist_F200
#Phish_Tank_F107
#Emerging_Threats___Compromised_F68
#Blutmagie_TOR_Nodes_F209
#Anomali_Weekly_Threat_Briefing_S1