Am having issues with the configuration of the AlienVault OTX feed in Splunk ES and would appreciate any help.
Have got my AlienVault OTX key ready but need help with the Threat Intel taxii feed settings in the web gui.
Data inputs » Intelligence Downloads »
POST Arguments: <this is where my key should be placed but how is this formatted??>
-> have tried taxii_username="my_key" in the post arguments to no avail. Just keep seeing the "TAXII feed polling starting" message on the "Threat Intelligence Audit" page.
Any help is greatly appreciated.
My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase.
I've managed to install and configure those add-ons in less than an hour.
Many thanks for the reply.
We've been using those already but were kinda hoping we could move away from them (2yrs+ since last update on the github page + no SplunkApp Inspection pass mark) and use the general taxii feed input as it works fine for other feeds.