Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

STIX TAXII Data Not Showing On Some Days

aithau
New Member
‎04-13-2020 10:50 AM

The FS-ISAC Threat Intelligence STIX TAXII has been enabled in our environment. We received all IOCs from 4/2 but did not receive any on 4/3 or 4/9. I am trying to determine what happened on those days. I believe we are getting the files but I can't tell if there's an issue maybe with parsing or somewhere else.

The download log shows:

2020-04-13 09:12:41,658+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:314 | status="Retrieved document from TAXII feed" stanza="FS-ISAC" collection="system.Default"
2020-04-13 09:12:41,113+0000 INFO pid=21356 tid=MainThread file=init.py:_poll_taxii_11:60 | Auth Type: AUTH_CERT_BASIC
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC"
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:435 | status="retrieved_checkpoint_data" stanza="FS-ISAC" last_run="1586725961.53"
2020-04-13 09:12:40,877+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:421 | status="continuing" msg="Processing stanza" name="threatlist://FS-ISAC"

The intel manager shows:
2020-04-13 15:04:17,057+0000 INFO pid=269178 tid=MainThread file=stix_parser.py:preprocess:178 | status="Finished parsing STIX documents" filename="/opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/FS-ISAC_TAXII_system.Default_2020-04-09T16-57-49.076713.xml" success="323" failed="0"

So it looks like they were successful but I do not see them in IP_intel, File_intel, etc. Where else can I look to see any issues or what else can I do? Any help us greatly appreciated.

0 Karma
Reply

dantimola
Communicator
‎10-14-2020 04:01 AM

Have you resolved this already? Would you mind sharing the solution? I'm having the same problem right now.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top