Are there specific types of indicators and observa...

madcitygeek · ‎10-20-2015

I can't seem to make Splunk ES 3.3 ingest the XML files I get from the government. Naturally, I cannot divulge the details of the files in answers.splunk.com, but the threat_intelligence_manager.log in Splunk says:

pid=63229 tid=MainThread file=threat_intelligence_manager.py:process:338 | status="No observables or indicators found in document." filename="/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel/IB-15-20115.stix.xml"

I have confirmed that the STIX files are of flavor 1.1.1 and that there are indicators inside them. Is there a specific type of indicators and observables that Splunk ES 3.3 looks for?

adebosschere_sp · ‎03-25-2016

Are your Observables embedded into Incidents ?

If that's the case it's supported by ES since 4.0.1: http://docs.splunk.com/Documentation/ES/4.0.1/RN/FixedIssues (SOLNESS-8154)

PierreE · ‎03-21-2016

I'm on ES 3.3 too, and I'm encountering exactly the same problem !
Do you have some news about the issue ?

chris · ‎03-21-2016

We're on Version 4 and had trouble with STIX files from MISP. Our Files did not run through the STIX validator https://github.com/STIXProject/stix-validator. I opened an issue on github https://github.com/MISP/MISP/issues/975. Just in case you also have MISP exports

PierreE · ‎03-21-2016

Thanks for the news !

But I verified with stix-validator.py, my files exported are OK ! So the issue is still there !

chris · ‎01-14-2016

Did you find a solution to this Problem?

madcitygeek · ‎02-16-2016

No. I got distracted by other things and I'm back on the warpath. I'm hoping someone from the Splunk ES team can assist, since they added the functionality. 🙂

aalanisr26 · ‎11-17-2015

same issue here

Are there specific types of indicators and observables in STIX that the Splunk App for Enterprise Security 3.3 looks for?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life