Splunk Enterprise Security

STIX TAXII Data Not Showing On Some Days

New Member

The FS-ISAC Threat Intelligence STIX TAXII has been enabled in our environment. We received all IOCs from 4/2 but did not receive any on 4/3 or 4/9. I am trying to determine what happened on those days. I believe we are getting the files but I can't tell if there's an issue maybe with parsing or somewhere else.

The download log shows:

2020-04-13 09:12:41,658+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:314 | status="Retrieved document from TAXII feed" stanza="FS-ISAC" collection="system.Default"
2020-04-13 09:12:41,113+0000 INFO pid=21356 tid=MainThread file=init.py:_poll_taxii_11:60 | Auth Type: AUTH_CERT_BASIC
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC"
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:435 | status="retrieved_checkpoint_data" stanza="FS-ISAC" last_run="1586725961.53"
2020-04-13 09:12:40,877+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:421 | status="continuing" msg="Processing stanza" name="threatlist://FS-ISAC"

The intel manager shows:
2020-04-13 15:04:17,057+0000 INFO pid=269178 tid=MainThread file=stix_parser.py:preprocess:178 | status="Finished parsing STIX documents" filename="/opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/FS-ISAC_TAXII_system.Default_2020-04-09T16-57-49.076713.xml" success="323" failed="0"

So it looks like they were successful but I do not see them in IP_intel, File_intel, etc. Where else can I look to see any issues or what else can I do? Any help us greatly appreciated.

0 Karma


Have you resolved this already? Would you mind sharing the solution? I'm having the same problem right now.

0 Karma
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...