I can't seem to make Splunk ES 3.3 ingest the XML files I get from the government. Naturally, I cannot divulge the details of the files in answers.splunk.com, but the threat_intelligence_manager.log in Splunk says:
pid=63229 tid=MainThread file=threat_intelligence_manager.py:process:338 | status="No observables or indicators found in document." filename="/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel/IB-15-20115.stix.xml"
I have confirmed that the STIX files are of flavor 1.1.1 and that there are indicators inside them. Is there a specific type of indicators and observables that Splunk ES 3.3 looks for?
Are your Observables embedded into Incidents ?
If that's the case it's supported by ES since 4.0.1: http://docs.splunk.com/Documentation/ES/4.0.1/RN/FixedIssues (SOLNESS-8154)
I'm on ES 3.3 too, and I'm encountering exactly the same problem !
Do you have some news about the issue ?
We're on Version 4 and had trouble with STIX files from MISP. Our Files did not run through the STIX validator https://github.com/STIXProject/stix-validator. I opened an issue on github https://github.com/MISP/MISP/issues/975. Just in case you also have MISP exports
Thanks for the news !
But I verified with stix-validator.py, my files exported are OK ! So the issue is still there !
Did you find a solution to this Problem?
No. I got distracted by other things and I'm back on the warpath. I'm hoping someone from the Splunk ES team can assist, since they added the functionality. 🙂
same issue here