topic Re: Splunk ES taxii feed - AlienVault OTX config in Splunk Enterprise Security

Splunk ES taxii feed - AlienVault OTX config

oz_dg — Mon, 23 Nov 2020 07:45:21 GMT

Hi everyone,

Am having issues with the configuration of the AlienVault OTX feed in Splunk ES and would appreciate any help.

Have got my AlienVault OTX key ready but need help with the Threat Intel taxii feed settings in the web gui.

Data inputs » Intelligence Downloads »

Type: taxii

URL: https://otx.alienvault.com/taxii/discovery
POST Arguments: <this is where my key should be placed but how is this formatted??>

-> have tried taxii_username="my_key" in the post arguments to no avail. Just keep seeing the "TAXII feed polling starting" message on the "Threat Intelligence Audit" page.

Any help is greatly appreciated.

Cheers

Re: Splunk ES taxii feed - AlienVault OTX config

MaverickT — Mon, 23 Nov 2020 07:46:57 GMT

My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase.

I've managed to install and configure those add-ons in less than an hour.

https://splunkbase.splunk.com/app/4336/

https://splunkbase.splunk.com/app/4337/

Re: Splunk ES taxii feed - AlienVault OTX config

oz_dg — Tue, 24 Nov 2020 06:52:30 GMT

Hi,

Many thanks for the reply.

We've been using those already but were kinda hoping we could move away from them (2yrs+ since last update on the github page + no SplunkApp Inspection pass mark) and use the general taxii feed input as it works fine for other feeds.

Cheers

Re: Splunk ES taxii feed - AlienVault OTX config

oz_dg — Fri, 04 Dec 2020 02:33:08 GMT

Hoping that there is way forward with this one.

Many thanks in advance.

Re: Splunk ES taxii feed - AlienVault OTX config

efheem — Wed, 29 Nov 2023 12:36:16 GMT

Just in case if someone is still looking for an answer to this, go to ES Threat Intelligence Management and click New ->TAXII

Url : https://otx.alienvault.com/taxii/collections

Post Arguments:

collection=user_AlienVault taxii_username=xxxxxxxxxxxxxyourAPIKeyHerexxxxxxxxx taxii_password=foo

Cheers!

Re: Splunk ES taxii feed - AlienVault OTX config

steljas2 — Sat, 13 Apr 2024 10:35:30 GMT

@efheem Thanks for posting this! Did this setup "just work" for you?

With your configs, I see the files downloading in the logs, but it never finishes the first run. stating "The downloaded taxii intelligence has a size that exceeds the configured max_size and will be discarded." I've tried increasing the max to 500Mb in the lab, but still encounter the same problem.

Re: Splunk ES taxii feed - AlienVault OTX config

prathasj — Tue, 17 Sep 2024 00:31:41 GMT

Facing similar issue with Alien Vault threat feed ,increased the max size still it fails with error as " Exception when polling TAXII feed. Any saved documents will be discarded" and "The downloaded taxii intelligence has a size that exceeds the configured max_size and will be discarded.

Has anyone able to resolve this ?

Re: Splunk ES taxii feed - AlienVault OTX config

user487596 — Mon, 14 Oct 2024 10:07:01 GMT

I increased the limit several times, but eventually I got the same error. Do you know a way to see what data was received, for example, to do a search?