I am trying to get the FS-ISAC threat feed from my Soltra Edge box into my threatlists on Splunk Enterprise Security.
In the Threatlist audit page, my Soltra Feed has the Download status as "Taxii feed polling starting"
I am also getting the Following errors:
[subsearch]: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089
[subsearch]: Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089 - Not Found
Here is my Settings in Threat Intelligence Download settings
For the ES side of things, your settings generally seem okay (an example excerpt from inputs.conf that lives in "DA-ESS-ThreatIntelligence/default" is below):
description = Hail a TAXII.com malware domain host list
disabled = true
interval = 86400
post_args = collection="MalwareDomainList_Hostlist" earliest="-1y" taxii_username="guest" taxii_password="guest"
type = taxii
url = http://hailataxii.com/taxii-data
If you peek in your "DA-ESS-ThreatIntelligence/local" and "SA-ThreatIntelligence/local" directories for your ES installation, you will see your entry in the form of a new stanza in inputs.conf, you can compare those settings to the above. They won't be identical since Soltra likely doesn't use the same parameter names for the POST request, but worth looking at as a point of reference.
I have gone into DA and SA -threatIntelligence/local/ inputs.conf and I am not seeing stanza's that correlate to my taxii inputs. I had assumed that Splunk would automatically add this to the imputs.conf file.
Should I have manually added that into the inputs.conf file?
Apologies I did not get back to you! If you created the inputs from the Splunk Web UI, it should create a corresponding entry in inputs.conf. That said depending on what app you were in before you went to Settings>Data Inputs that file might have been created in a different app directory.
You could always search for that stanza type ([threatlist://*]) via grep and see what files get returned.