Add Threat Intelligence to Enterprise Security sea...

clarkwh2 · ‎05-06-2016

We have looked at adding some threat intelligence apps to our Enterprise Security instance and have decided that we can consume the information that we are looking for via TAXII feed. The instructions on this page (docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists) lay out how to configure this in Splunk Web but don't provide any instructions on how to add them directly in a conf file which is what you have to do in a search head cluster. So my question is:

Where is the config file to make add these feeds and are there instructions on how to make these changes directly in the conf files?

bluger_splunk · ‎05-12-2016

Hi clarkwh2 --

The conf file used to store TAXII feed configurations is ../local/inputs.conf. An example entry would look like:

[threatlist://<input_name>]
description = TAXII description
disabled = false
interval = 86400
post_args = collection="<taxii_collection>" earliest="-1y" taxii_username="user" taxii_password="pass"
type = taxii
url = <url to taxii discovery service>

Docs pertaining to the available options for this modular input can be found in SA-ThreatIntelligence, under README/inputs.conf.spec

Hope this helps,

~Brian

Add Threat Intelligence to Enterprise Security search head cluster

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!