Deployment Architecture

Add Threat Intelligence to Enterprise Security search head cluster

clarkwh2
Explorer

We have looked at adding some threat intelligence apps to our Enterprise Security instance and have decided that we can consume the information that we are looking for via TAXII feed. The instructions on this page (docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists) lay out how to configure this in Splunk Web but don't provide any instructions on how to add them directly in a conf file which is what you have to do in a search head cluster. So my question is:

Where is the config file to make add these feeds and are there instructions on how to make these changes directly in the conf files?

bluger_splunk
Splunk Employee
Splunk Employee

Hi clarkwh2 --

The conf file used to store TAXII feed configurations is ../local/inputs.conf. An example entry would look like:

[threatlist://<input_name>]
description = TAXII description
disabled = false
interval = 86400
post_args = collection="<taxii_collection>" earliest="-1y" taxii_username="user" taxii_password="pass"
type = taxii
url = <url to taxii discovery service>

Docs pertaining to the available options for this modular input can be found in SA-ThreatIntelligence, under README/inputs.conf.spec

Hope this helps,

~Brian

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...