- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Are there specific types of indicators and observa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there specific types of indicators and observables in STIX that the Splunk App for Enterprise Security 3.3 looks for?
I can't seem to make Splunk ES 3.3 ingest the XML files I get from the government. Naturally, I cannot divulge the details of the files in answers.splunk.com, but the threat_intelligence_manager.log in Splunk says:
pid=63229 tid=MainThread file=threat_intelligence_manager.py:process:338 | status="No observables or indicators found in document." filename="/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel/IB-15-20115.stix.xml"
I have confirmed that the STIX files are of flavor 1.1.1 and that there are indicators inside them. Is there a specific type of indicators and observables that Splunk ES 3.3 looks for?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are your Observables embedded into Incidents ?
If that's the case it's supported by ES since 4.0.1: http://docs.splunk.com/Documentation/ES/4.0.1/RN/FixedIssues (SOLNESS-8154)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm on ES 3.3 too, and I'm encountering exactly the same problem !
Do you have some news about the issue ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're on Version 4 and had trouble with STIX files from MISP. Our Files did not run through the STIX validator https://github.com/STIXProject/stix-validator. I opened an issue on github https://github.com/MISP/MISP/issues/975. Just in case you also have MISP exports
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the news !
But I verified with stix-validator.py, my files exported are OK ! So the issue is still there !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you find a solution to this Problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. I got distracted by other things and I'm back on the warpath. I'm hoping someone from the Splunk ES team can assist, since they added the functionality. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
same issue here
Best Strategies to Optimize Observability Costs
Fueling your curiosity with new Splunk ILT and eLearning courses
Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...
