I have enabled FS-ISAC Threat Intelligence feed to our environment. I've confirmed that the feed was successfully when I checked the Threat Intelligence Audit dashboard FS-ISAC feed was there and has a download status
Retrieved document from TAXII feed, I also got the result
status="Finished parsing STIX documents" success="159" failed="0" when using the search
index=_internal sourcetype="threatintel:manager" "*fsisac*", however when I checked the Threat Artifacts dashboard the FS-ISAC feed was not there. How can I confirm if Splunk ES is using the FS-ISAC feed? Have I missed a step in adding new threat intelligence via TAXII feed? Should I create lookup and Saved Search for this? Thanks
Something like the following should allow you to see the indicators in the various KV Stores, you can replace edge*xml
with something like *fs_isac as long as that is included in the name of the threat download you created
| inputlookup file_intel
| append [ inputlookup ip_intel ]
| append [ inputlookup http_intel ]
| search threat_key=*edge*xml
| eval time=strftime(time,"%F %T")
Have you tried looking into the appropriate kvstore collection, maybe the
http_intel? You should be able to see your artifacts there using
|inputlookup ip_intel . If they're not then you're missing something.
You can find the list of intels to look into here :
When stuff is downloaded we log it in to threatlist.log
When stuff is parsed we log it in to threat_intelligence_manager.log
If parsing is successful we write it to kvstore
If we write to kvstsore Lookup Gen searches are triggered by the threat_intellitence_manager, and the data is copied over to the DA-ESS-ThreatIntelligence/lookups/threatintel_by_foo.csv's
When the "Threat Gen" searches run, if enabled, we take the info found from those searches and perform lookups against those threatintel_by_foo.csv's, if a match is made we write an entry into the threat_activity index.
So as pointed out. What do the logs say for the threatlist.log / threat_intelligence_manager.log
This is the best starting point to understand if in fact you have even configured your inputs properly to be able to download the data:
as an example log entries like this in threatlist.log indicate your have cert problems:
2019-10-01 16:53:42,357+0000 INFO pid=140992 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC"
2019-10-01 16:53:42,410+0000 INFO pid=140992 tid=MainThread file=init.py:poll_taxii_11:46 | Certificate not found - falling back to AUTH_BASIC.
2019-10-01 16:53:42,410+0000 INFO pid=140992 tid=MainThread file=init_.py:_poll_taxii_11:68 | Auth Type: AUTH_BASIC
Paste your log entries here so we might be able to offer up some assistance, in addition your inputs.conf config would be helpful as well so we can see your postargs... make sure you remove your creds/pass
Do you see the threat intelligence files in the directory that is mentioned the 'Threat Intelligence Management' - Data Inputs page?
Eg: In '$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel' directory.