Splunk Enterprise Security

Splunk ES taxii feed - AlienVault OTX config

Explorer

Hi everyone,

Am having issues with the configuration of the AlienVault OTX feed in Splunk ES and would appreciate any help.

Have got my AlienVault OTX key ready but need help with the Threat Intel taxii feed settings in the web gui.

Data inputs » Intelligence Downloads »

Type: taxii

URL: https://otx.alienvault.com/taxii/discovery
POST Arguments: <this is where my key should be placed but how is this formatted??>

-> have tried taxii_username="my_key"  in the post arguments to no avail. Just keep seeing the "TAXII feed polling starting" message on the "Threat Intelligence Audit" page.

Any help is greatly appreciated.

Cheers

Labels (2)

Explorer

Hoping that there is way forward with this one.

Many thanks in advance.

0 Karma

Communicator

My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase.

I've managed to install and configure those add-ons in less than an hour.

https://splunkbase.splunk.com/app/4336/

https://splunkbase.splunk.com/app/4337/

Explorer

Hi,

Many thanks for the reply.

We've been using those already but were kinda hoping we could move away from them (2yrs+ since last update on the github page + no SplunkApp Inspection pass mark) and use the general taxii feed input as it works fine for other feeds.

Cheers

0 Karma