OpenDXL-Anomali-STAXX Client¶
OpenDXL-Anomali-STAXX is a Python client that exports observables (IOCs) from Anomali STAXX and publishes events with the observables into a McAfee DXL (Data Exchange Layer) messaging fabric.
How to use it¶
The client may be invoked by running the staxx_exporter.py script (usage instructions below).
- staxx_exporter.py -
- Main OpenDXL-Anomali-STAXX client script. Connects to Anomali STAXX and McAFee DXL messaging bus, exporting observables from one into the other as messages.
usage: staxx_observable_exporter [-h] [-c CONFIGFILE] [-d] [-l LOGLEVEL] [-p]
[-s] [-t TIME]
FILTER_QUERY
Positional Arguments¶
| FILTER_QUERY | Query used to filter desired observables (confidence, type, time window, …). |
Named Arguments¶
| -c, --configfile | |
Configuration file. Default: “/etc/opendxl-anomali-staxx/client.conf” | |
| -d, --dryrun | Export observables from STAXX without generating DXL messages. Default: False |
| -l, --loglevel | Logging level (DEBUG, INFO or ERROR). Default: “INFO” |
| -p, --pprint | Pretty print exported observables to STDOUT. Default: False |
| -s, --singleshot | |
Single shot mode (will not keep polling STAXX server). Default: False | |
| -t, --time | Polling time (in seconds). Default: 60 |
This script works as an OpenDXL client for Anomali STAXX, exporting observables (IOCs) from it and publishing messages (events) into the DXL bus.