Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk ES taxii feed - AlienVault OTX config

oz_dg
Explorer
‎11-22-2020 11:40 PM

Hi everyone,

Am having issues with the configuration of the AlienVault OTX feed in Splunk ES and would appreciate any help.

Have got my AlienVault OTX key ready but need help with the Threat Intel taxii feed settings in the web gui.

Data inputs » Intelligence Downloads »

Type: taxii

URL: https://otx.alienvault.com/taxii/discovery
POST Arguments: <this is where my key should be placed but how is this formatted??>

-> have tried taxii_username="my_key"  in the post arguments to no avail. Just keep seeing the "TAXII feed polling starting" message on the "Threat Intelligence Audit" page.

Any help is greatly appreciated.

Cheers

Labels (2)
Reply

oz_dg
Explorer
‎12-03-2020 06:33 PM

Hoping that there is way forward with this one.

Many thanks in advance.

0 Karma
Reply

MaverickT
Communicator
‎11-22-2020 11:46 PM

My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase.

I've managed to install and configure those add-ons in less than an hour.

https://splunkbase.splunk.com/app/4336/

https://splunkbase.splunk.com/app/4337/

Reply

oz_dg
Explorer
‎11-23-2020 10:52 PM

Hi,

Many thanks for the reply.

We've been using those already but were kinda hoping we could move away from them (2yrs+ since last update on the github page + no SplunkApp Inspection pass mark) and use the general taxii feed input as it works fine for other feeds.

Cheers

Reply

efheem
Explorer
‎11-29-2023 04:36 AM

Just in case if someone is still looking for an answer to this, go to ES Threat Intelligence Management and click New ->TAXII

Url : https://otx.alienvault.com/taxii/collections

Post Arguments:

collection=user_AlienVault taxii_username=xxxxxxxxxxxxxyourAPIKeyHerexxxxxxxxx  taxii_password=foo


Cheers!

Reply

steljas2
Observer
‎04-13-2024 03:35 AM

@efheem Thanks for posting this!  Did this setup "just work" for you?

 

With your configs, I see the files downloading in the logs, but it never finishes the first run. stating "The downloaded taxii intelligence has a size that exceeds the configured max_size and will be discarded."  I've tried increasing the max to 500Mb in the lab, but still encounter the same problem.

0 Karma
Reply

prathasj
Loves-to-Learn
‎09-16-2024 05:28 PM

Facing similar issue with Alien Vault threat feed ,increased the max size still it fails with error as " Exception when polling TAXII feed. Any saved documents will be discarded" and "The downloaded taxii intelligence has a size that exceeds the configured max_size and will be discarded.

Has anyone able to resolve this ?

0 Karma
Reply

user487596
Explorer
‎10-14-2024 03:07 AM

I increased the limit several times, but eventually I got the same error. Do you know a way to see what data was received, for example, to do a search?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top