1st time configuring a feed in the Splunk App for Enterprise Security and I'm spinning my wheels. HELP 🙂 I have the Soltra server running and downloading the FS-ISAC feed, but how to I set it up in Splunk? By setup, I mean syntax in the Splunk URL & post arguments.
Thanks in advance!
Did you ever make progress on this? I just started building out my Soltra box with the idea to do the same thing. As I run across more relevant info I'll post here.
NO! I have the edge server still running I've asked several folks on here, on Soltra, and even dug though the fsisac forums and asked an engineer there. I'm sure I have a config issue, but the documentation leaves me stranded. Let me know what you find as I'm to the point now of asking my pro-serve person to ask folks that he has run across!....
On the Soltra Edge Server:
1) Create your site : This is your connection to FS-ISAC with your various polling rules -
2) In the Feeds TAB create a new feed - This is what Spunk will connect to e.g create a feed called " MYFEED" http://127.0.0.1/taxii-discovery-service .
3) Make sure you have a user name, password and a trust group established
On the Splunk side :
1) your TAXII Server entry= IP address or Host Name of your SOLTRA Box
2) PORT 80
3) /taxii-discovery-service/ e.g. full url would be http://192.xxx.xxx.xxx/taxii-discovery-service/admin.MYFEED
4) Userid = which ever one your created associated to the new feed on Soltra
5) Password = Whatever password
Let me know how you make out .
ok this was a complete PITA from the work GO. klaxdal thanks a ton for pointing me in the right direction it was excatly what I was looking for. I still had a couple challenges like my Edge server decided to stop working on Oct 22, then I had the challenge if fighting the 2 factor cert within Edge. I had to hard code the username an password instead of using the cred manager in Splunk? I may try to back that off tomorrow as I was giddy to actually see data in Splunk ES....
Thanks for your help. I see FSISAC data on Splunk Instance when I ssh into it, the feed got downloaded in ".xml" format. Now when I try to search for that data in Threat Activity or any other place I cant find it. How can I confirm that Splunk is able to parse and read this data?
Thanks in advance.
I've had some success, but I'm still not quite there. At this point I'm not sure if I've passed the parameters wrong in splunk for if I've done it wrong on Soltra.
This is the message I get from Splunk in ES on the Threat Intelligence Audit
status="Retrieved documents from TAXII feed" count="0" stanza="Soltra Edge" collection="admin.IPWatchlist"
This is better than the error of being stuck on Polling which I had before.
Does this mean I've messed up creating a feed?
Thanks for your time.
Make sure the user name ( in this case most likely "admin" judging by your feed name admin,IPWatchlist ) and the password are correct in Splunk and that the User ID has rights set up for the feed in Soltra .
Additionally can you post any relevant log output ? Log files are a must when trying to debug .
I would think the user would be the user that the Splunk instance is running under, is it not, this user already has appropriate file level rights? The user I passed to Soltra should have been a soltra only user. Perhaps my logic is wrong on this?