Splunk Enterprise Security

Are there specific types of indicators and observables in STIX that the Splunk App for Enterprise Security 3.3 looks for?

madcitygeek
Explorer

I can't seem to make Splunk ES 3.3 ingest the XML files I get from the government. Naturally, I cannot divulge the details of the files in answers.splunk.com, but the threat_intelligence_manager.log in Splunk says:

pid=63229 tid=MainThread file=threat_intelligence_manager.py:process:338 | status="No observables or indicators found in document." filename="/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel/IB-15-20115.stix.xml"

I have confirmed that the STIX files are of flavor 1.1.1 and that there are indicators inside them. Is there a specific type of indicators and observables that Splunk ES 3.3 looks for?

adebosschere_sp
Splunk Employee
Splunk Employee

Are your Observables embedded into Incidents ?

If that's the case it's supported by ES since 4.0.1: http://docs.splunk.com/Documentation/ES/4.0.1/RN/FixedIssues (SOLNESS-8154)

PierreE
Path Finder

I'm on ES 3.3 too, and I'm encountering exactly the same problem !
Do you have some news about the issue ?

0 Karma

chris
Motivator

We're on Version 4 and had trouble with STIX files from MISP. Our Files did not run through the STIX validator https://github.com/STIXProject/stix-validator. I opened an issue on github https://github.com/MISP/MISP/issues/975. Just in case you also have MISP exports

0 Karma

PierreE
Path Finder

Thanks for the news !

But I verified with stix-validator.py, my files exported are OK ! So the issue is still there !

0 Karma

chris
Motivator

Did you find a solution to this Problem?

0 Karma

madcitygeek
Explorer

No. I got distracted by other things and I'm back on the warpath. I'm hoping someone from the Splunk ES team can assist, since they added the functionality. 🙂

0 Karma

aalanisr26
Path Finder

same issue here

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...