Splunk Enterprise Security

Splunk Enterprise Security: Taxii feed from Soltra Edge server is stuck at "Taxii feed polling starting"

tnoelOTS
Explorer

I am trying to get the FS-ISAC threat feed from my Soltra Edge box into my threatlists on Splunk Enterprise Security.

In the Threatlist audit page, my Soltra Feed has the Download status as "Taxii feed polling starting"

I am also getting the Following errors:

[subsearch]:  Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089

[subsearch]:  Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089 - Not Found

Here is my Settings in Threat Intelligence Download settings

Type: taxi

Description: FS-ISAC_Feed_from_Soltra

url: http://10.190.0.35/taxii-discovery-service/admin.Splunk

Weight: 1

Interval: 43200

Post arguments: collection="Splunk" earliest="-1y" taxii_username="admin" taxii_password="xxxxxxx"

(the rest of the options are blank or set to default)

At this point I am unsure whether I have a problem in my settings or somewhere else.

I am new to Splunk and appreciate any help I can get at this point.

kchamplin_splun
Splunk Employee
Splunk Employee

Hello @tnoelOTS

On the Soltra side I noticed there are some interesting configurations needed - maybe look at the below link and see if that also helps.
https://answers.splunk.com/answers/312829/how-to-configure-an-fs-isac-feed-in-splunk-app-for.html

For the ES side of things, your settings generally seem okay (an example excerpt from inputs.conf that lives in "DA-ESS-ThreatIntelligence/default" is below):

[threatlist://hailataxii_malware]
description = Hail a TAXII.com malware domain host list
disabled = true
interval = 86400
post_args = collection="MalwareDomainList_Hostlist" earliest="-1y" taxii_username="guest" taxii_password="guest"
type = taxii
url = http://hailataxii.com/taxii-data

If you peek in your "DA-ESS-ThreatIntelligence/local" and "SA-ThreatIntelligence/local" directories for your ES installation, you will see your entry in the form of a new stanza in inputs.conf, you can compare those settings to the above. They won't be identical since Soltra likely doesn't use the same parameter names for the POST request, but worth looking at as a point of reference.

0 Karma

tnoelOTS
Explorer

KChamplin,
I have gone into DA and SA -threatIntelligence/local/ inputs.conf and I am not seeing stanza's that correlate to my taxii inputs. I had assumed that Splunk would automatically add this to the imputs.conf file.

Should I have manually added that into the inputs.conf file?

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

Apologies I did not get back to you! If you created the inputs from the Splunk Web UI, it should create a corresponding entry in inputs.conf. That said depending on what app you were in before you went to Settings>Data Inputs that file might have been created in a different app directory.
You could always search for that stanza type ([threatlist://*]) via grep and see what files get returned.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.