topic Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server? in Splunk Enterprise Security

How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

cdupuis123 — Tue, 29 Sep 2015 12:50:27 GMT

1st time configuring a feed in the Splunk App for Enterprise Security and I'm spinning my wheels. HELP 🙂 I have the Soltra server running and downloading the FS-ISAC feed, but how to I set it up in Splunk? By setup, I mean syntax in the Splunk URL & post arguments.

Thanks in advance!

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

austinparker — Thu, 29 Oct 2015 19:08:03 GMT

Did you ever make progress on this? I just started building out my Soltra box with the idea to do the same thing. As I run across more relevant info I'll post here.

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

cdupuis123 — Thu, 29 Oct 2015 19:44:16 GMT

NO! I have the edge server still running I've asked several folks on here, on Soltra, and even dug though the fsisac forums and asked an engineer there. I'm sure I have a config issue, but the documentation leaves me stranded. Let me know what you find as I'm to the point now of asking my pro-serve person to ask folks that he has run across!....

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

klaxdal — Fri, 30 Oct 2015 17:03:54 GMT

On the Soltra Edge Server:

1) Create your site : This is your connection to FS-ISAC with your various polling rules -
2) In the Feeds TAB create a new feed - This is what Spunk will connect to e.g create a feed called " MYFEED" http://127.0.0.1/taxii-discovery-service .
3) Make sure you have a user name, password and a trust group established

On the Splunk side :
1) your TAXII Server entry= IP address or Host Name of your SOLTRA Box
2) PORT 80
3) /taxii-discovery-service/ e.g. full url would be http://192.xxx.xxx.xxx/taxii-discovery-service/admin.MYFEED
4) Userid = which ever one your created associated to the new feed on Soltra
5) Password = Whatever password

Let me know how you make out .

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

cdupuis123 — Tue, 29 Sep 2020 07:48:13 GMT

Getting closer! Splunk says I'm missing collection. Digging through the Soltra documentation again, case I missed something...

2015-11-02 14:36:19,798 ERROR pid=21869 tid=MainThread file=threatlist.py:download_taxii:248 | status="Exception when polling TAXII feed." Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 231, in download_taxii for count, content_block in enumerate(handler.run(args, handler_args)): File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/init.py", line 123, in run parsed_args = self.parse_args(args, handler_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/init_.py", line 95, in _parse_args raise TaxiiHandlerException('Invalid arguments for TAXII service (missing collection).') TaxiiHandlerException: Invalid arguments for TAXII service (missing collection).

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

cdupuis123 — Wed, 04 Nov 2015 20:00:28 GMT

ok this was a complete PITA from the work GO. klaxdal thanks a ton for pointing me in the right direction it was excatly what I was looking for. I still had a couple challenges like my Edge server decided to stop working on Oct 22, then I had the challenge if fighting the 2 factor cert within Edge. I had to hard code the username an password instead of using the cred manager in Splunk? I may try to back that off tomorrow as I was giddy to actually see data in Splunk ES....

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

klaxdal — Wed, 04 Nov 2015 20:02:08 GMT

Alright ! If you need any help msg me .

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

austinparker — Mon, 11 Jan 2016 19:00:27 GMT

I've had some success, but I'm still not quite there. At this point I'm not sure if I've passed the parameters wrong in splunk for if I've done it wrong on Soltra.

This is the message I get from Splunk in ES on the Threat Intelligence Audit

status="Retrieved documents from TAXII feed" count="0" stanza="Soltra Edge" collection="admin.IPWatchlist"

This is better than the error of being stuck on Polling which I had before.

Does this mean I've messed up creating a feed?

Thanks for your time.

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

klaxdal — Mon, 11 Jan 2016 19:38:39 GMT

Austin ,

Make sure the user name ( in this case most likely "admin" judging by your feed name admin,IPWatchlist ) and the password are correct in Splunk and that the User ID has rights set up for the feed in Soltra .

Additionally can you post any relevant log output ? Log files are a must when trying to debug .

Kristofer

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

austinparker — Mon, 11 Jan 2016 20:07:56 GMT

I would think the user would be the user that the Splunk instance is running under, is it not, this user already has appropriate file level rights? The user I passed to Soltra should have been a soltra only user. Perhaps my logic is wrong on this?

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

aliakseidzianis — Thu, 07 Apr 2016 16:45:13 GMT

If ES can pull the Hail a TAXII.com feed directly, why can't it pull FS-ISAC feed too? Why is there a need for Soltra in the middle?

The only obvious difference between hailataxxi and fs-isac is certificate that is required by fs-isac. Is it possible to implement it straight on ES without Soltra?

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

klaxdal — Thu, 07 Apr 2016 16:59:19 GMT

That's a might big feed to pull .. without the Edge box in the middle to set boundaries on dates , times and IOC types you would be pulling quite a bit of data down .. and most of it extraneous .

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

klaxdal — Thu, 07 Apr 2016 17:19:32 GMT

If fact I would recommend the Edge Server between all of your feeds including Hailataxxi , jigsaw, and Threat Actor Lab - gives you a lot of control about what you bring in as a PROD Threat feed

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

aliakseidzianis — Thu, 07 Apr 2016 17:25:32 GMT

I agree, FS-ISAC feed it probably not the cleanest, however Soltra does not have more filtering functionality that Splunk does. If Splunk can handle other taxii feeds directly, why would FS-ISAC be different?

You are pulling the exact same feed from Soltra that you are pulling from FS-ISAC, right? Or is there an ability on Soltra to filter it down to a different feed before it is digested by Splunk?

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

klaxdal — Thu, 07 Apr 2016 17:56:33 GMT

No not necessarily -

With FS-ISAC you set up your initial feed on their side at analysis.fsisac.com rather than system.default. from there set up an Edge box to pull your clean , "tuned" FS-ISAC feed local or near to your Splunk instance . This allows you to set date parameters for the pull as well - so your not pulling the whole repository back from 2014 - say just the last 6 months . One can also select which IOC types you want to bring into your Splunk environment .

Additionally on the Edge box that one has set up locally you can add hailataxxi, jigsaw, and Threat Actor as feeds and set parameters for each e.g. only poll the last 24hrs of data starting at a specific date , only pull this subset of IOCs from each STIX repository .

In my opinion much more malleable to point Splunk at feeds that one has control over ( especially not have to download no-applicable IOCs and or ones which are older than 6 months as that's a heck of a lot of data especially if one is searching for IOCs automatically across large data sets )

Just my 2 cents - your mileage my vary

Kristofer

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

aliakseidzianis — Thu, 07 Apr 2016 18:01:16 GMT

That makes sense. Thanks Kristofer.

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

klaxdal — Thu, 07 Apr 2016 18:07:31 GMT

So yes - Soltra Edge 2.8.x allows you to filter down before you pull , parse and store into Mongo / Splunk ... not just the FS-ISCA feeds but all your STIX feeds .
I currently pull form 6 different STIX hubs so it is more than useful .

Kristofer

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

amalkapuram — Tue, 16 May 2017 19:29:03 GMT

I need help in setting up Soltra credentials on Splunk- Where do I give my Soltra's username and password? In post arguments? Is so, what's the syntax? Please help

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

aliakseidzianis — Tue, 29 Sep 2020 14:05:54 GMT

Yes, in POST arguments.
collection="system.Default" earliest="-90d" taxii_username="user" taxii_password="pass"

Re: How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

amalkapuram — Wed, 13 Sep 2017 22:31:16 GMT

Thanks for your help. I see FSISAC data on Splunk Instance when I ssh into it, the feed got downloaded in ".xml" format. Now when I try to search for that data in Threat Activity or any other place I cant find it. How can I confirm that Splunk is able to parse and read this data?

Thanks in advance.