Splunk Enterprise Security

Splunk ES taxii feed - AlienVault OTX config


Hi everyone,

Am having issues with the configuration of the AlienVault OTX feed in Splunk ES and would appreciate any help.

Have got my AlienVault OTX key ready but need help with the Threat Intel taxii feed settings in the web gui.

Data inputs » Intelligence Downloads »

Type: taxii

URL: https://otx.alienvault.com/taxii/discovery
POST Arguments: <this is where my key should be placed but how is this formatted??>

-> have tried taxii_username="my_key"  in the post arguments to no avail. Just keep seeing the "TAXII feed polling starting" message on the "Threat Intelligence Audit" page.

Any help is greatly appreciated.


Labels (2)


Hoping that there is way forward with this one.

Many thanks in advance.

0 Karma


My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase.

I've managed to install and configure those add-ons in less than an hour.





Many thanks for the reply.

We've been using those already but were kinda hoping we could move away from them (2yrs+ since last update on the github page + no SplunkApp Inspection pass mark) and use the general taxii feed input as it works fine for other feeds.


Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...