Splunk Enterprise Security

Are there specific types of indicators and observables in STIX that the Splunk App for Enterprise Security 3.3 looks for?

madcitygeek
Explorer

I can't seem to make Splunk ES 3.3 ingest the XML files I get from the government. Naturally, I cannot divulge the details of the files in answers.splunk.com, but the threat_intelligence_manager.log in Splunk says:

pid=63229 tid=MainThread file=threat_intelligence_manager.py:process:338 | status="No observables or indicators found in document." filename="/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel/IB-15-20115.stix.xml"

I have confirmed that the STIX files are of flavor 1.1.1 and that there are indicators inside them. Is there a specific type of indicators and observables that Splunk ES 3.3 looks for?

adebosschere_sp
Splunk Employee
Splunk Employee

Are your Observables embedded into Incidents ?

If that's the case it's supported by ES since 4.0.1: http://docs.splunk.com/Documentation/ES/4.0.1/RN/FixedIssues (SOLNESS-8154)

PierreE
Path Finder

I'm on ES 3.3 too, and I'm encountering exactly the same problem !
Do you have some news about the issue ?

0 Karma

chris
Motivator

We're on Version 4 and had trouble with STIX files from MISP. Our Files did not run through the STIX validator https://github.com/STIXProject/stix-validator. I opened an issue on github https://github.com/MISP/MISP/issues/975. Just in case you also have MISP exports

0 Karma

PierreE
Path Finder

Thanks for the news !

But I verified with stix-validator.py, my files exported are OK ! So the issue is still there !

0 Karma

chris
Motivator

Did you find a solution to this Problem?

0 Karma

madcitygeek
Explorer

No. I got distracted by other things and I'm back on the warpath. I'm hoping someone from the Splunk ES team can assist, since they added the functionality. 🙂

0 Karma

aalanisr26
Path Finder

same issue here

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...