Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

STIX TAXII Data Not Showing On Some Days

aithau
New Member
‎04-13-2020 10:50 AM

The FS-ISAC Threat Intelligence STIX TAXII has been enabled in our environment. We received all IOCs from 4/2 but did not receive any on 4/3 or 4/9. I am trying to determine what happened on those days. I believe we are getting the files but I can't tell if there's an issue maybe with parsing or somewhere else.

The download log shows:

2020-04-13 09:12:41,658+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:314 | status="Retrieved document from TAXII feed" stanza="FS-ISAC" collection="system.Default"
2020-04-13 09:12:41,113+0000 INFO pid=21356 tid=MainThread file=init.py:_poll_taxii_11:60 | Auth Type: AUTH_CERT_BASIC
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC"
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:435 | status="retrieved_checkpoint_data" stanza="FS-ISAC" last_run="1586725961.53"
2020-04-13 09:12:40,877+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:421 | status="continuing" msg="Processing stanza" name="threatlist://FS-ISAC"

The intel manager shows:
2020-04-13 15:04:17,057+0000 INFO pid=269178 tid=MainThread file=stix_parser.py:preprocess:178 | status="Finished parsing STIX documents" filename="/opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/FS-ISAC_TAXII_system.Default_2020-04-09T16-57-49.076713.xml" success="323" failed="0"

So it looks like they were successful but I do not see them in IP_intel, File_intel, etc. Where else can I look to see any issues or what else can I do? Any help us greatly appreciated.

0 Karma
Reply

dantimola
Communicator
‎10-14-2020 04:01 AM

Have you resolved this already? Would you mind sharing the solution? I'm having the same problem right now.

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top