Splunk Enterprise Security

STIX TAXII Data Not Showing On Some Days

aithau
New Member

The FS-ISAC Threat Intelligence STIX TAXII has been enabled in our environment. We received all IOCs from 4/2 but did not receive any on 4/3 or 4/9. I am trying to determine what happened on those days. I believe we are getting the files but I can't tell if there's an issue maybe with parsing or somewhere else.

The download log shows:

2020-04-13 09:12:41,658+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:314 | status="Retrieved document from TAXII feed" stanza="FS-ISAC" collection="system.Default"
2020-04-13 09:12:41,113+0000 INFO pid=21356 tid=MainThread file=init.py:_poll_taxii_11:60 | Auth Type: AUTH_CERT_BASIC
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC"
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:435 | status="retrieved_checkpoint_data" stanza="FS-ISAC" last_run="1586725961.53"
2020-04-13 09:12:40,877+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:421 | status="continuing" msg="Processing stanza" name="threatlist://FS-ISAC"

The intel manager shows:
2020-04-13 15:04:17,057+0000 INFO pid=269178 tid=MainThread file=stix_parser.py:preprocess:178 | status="Finished parsing STIX documents" filename="/opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/FS-ISAC_TAXII_system.Default_2020-04-09T16-57-49.076713.xml" success="323" failed="0"

So it looks like they were successful but I do not see them in IP_intel, File_intel, etc. Where else can I look to see any issues or what else can I do? Any help us greatly appreciated.

0 Karma

dantimola
Communicator

Have you resolved this already? Would you mind sharing the solution? I'm having the same problem right now.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...