Splunk Enterprise Security

Integration: Splunk Enterprise Security (ES) to Anomali Limo?

dhodzic
New Member

Has anyone had luck defining Anomali Limo as a TAXII feed in Splunk Enterprise Security (ES)?

Our internal STAXX app can connect to Anomali Limo as guest/guest and access multiple feeds. We replicated this Limo TAXII definition in Splunk ES (Configure -> Data Enrichment -> Intelligence Downloads) but we get an HTTP Error 503 when polling is attempted.

Suggestions welcome.

— Log excerpt:
2018-04-19 14:39:44,964+0000 INFO pid=24800 tid=MainThread file=threatlist.py:run:372 | status=“continuing” msg=“Processing stanza” name=“threatlist://anomali_limo”
2018-04-19 14:39:44,965+0000 INFO pid=24800 tid=MainThread file=threatlist.py:download_taxii:240 | status=“TAXII feed polling starting” stanza=“anomali_limo”
2018-04-19 14:39:45,083+0000 INFO pid=24800 tid=MainThread file=init.py:_poll_taxii_11:48 | Certificate information incomplete - falling back to AUTH_BASIC.
2018-04-19 14:39:45,083+0000 INFO pid=24800 tid=MainThread file=init.py:_poll_taxii_11:67 | Auth Type: AUTH_BASIC
2018-04-19 14:39:45,385+0000 ERROR pid=24800 tid=MainThread file=threatlist.py:download_taxii:270 | status=“Exception when polling TAXII feed.” stanza=“anomali_limo”
TaxiiHandlerException: Exception when polling TAXII feed: Message Type: Status_Message Message ID: 0; In Response To: 1266407629267830681 Status Type: FAILURE Message: HTTP Error 503: Service Unavailable Date: Thu, 19 Apr 2018 14:39:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache X-Kong-Upstream-Latency: 8 X-Kong-Proxy-Latency: 0 Via: kong/0.10.1

503 Service Unavailable
No server is available to handle this request.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...