I am trying to get the FS-ISAC threat feed from my Soltra Edge box into my threatlists on Splunk Enterprise Security.
In the Threatlist audit page, my Soltra Feed has the Download status as "Taxii feed polling starting"
I am also getting the Following errors:
[subsearch]: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089
[subsearch]: Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089 - Not Found
Here is my Settings in Threat Intelligence Download settings
Type: taxi
Description: FS-ISAC_Feed_from_Soltra
url: http://10.190.0.35/taxii-discovery-service/admin.Splunk
Weight: 1
Interval: 43200
Post arguments: collection="Splunk" earliest="-1y" taxii_username="admin" taxii_password="xxxxxxx"
(the rest of the options are blank or set to default)
At this point I am unsure whether I have a problem in my settings or somewhere else.
I am new to Splunk and appreciate any help I can get at this point.
Hello @tnoelOTS
On the Soltra side I noticed there are some interesting configurations needed - maybe look at the below link and see if that also helps.
https://answers.splunk.com/answers/312829/how-to-configure-an-fs-isac-feed-in-splunk-app-for.html
For the ES side of things, your settings generally seem okay (an example excerpt from inputs.conf that lives in "DA-ESS-ThreatIntelligence/default" is below):
[threatlist://hailataxii_malware]
description = Hail a TAXII.com malware domain host list
disabled = true
interval = 86400
post_args = collection="MalwareDomainList_Hostlist" earliest="-1y" taxii_username="guest" taxii_password="guest"
type = taxii
url = http://hailataxii.com/taxii-data
If you peek in your "DA-ESS-ThreatIntelligence/local" and "SA-ThreatIntelligence/local" directories for your ES installation, you will see your entry in the form of a new stanza in inputs.conf, you can compare those settings to the above. They won't be identical since Soltra likely doesn't use the same parameter names for the POST request, but worth looking at as a point of reference.
KChamplin,
I have gone into DA and SA -threatIntelligence/local/ inputs.conf and I am not seeing stanza's that correlate to my taxii inputs. I had assumed that Splunk would automatically add this to the imputs.conf file.
Should I have manually added that into the inputs.conf file?
Apologies I did not get back to you! If you created the inputs from the Splunk Web UI, it should create a corresponding entry in inputs.conf. That said depending on what app you were in before you went to Settings>Data Inputs that file might have been created in a different app directory.
You could always search for that stanza type ([threatlist://*]) via grep and see what files get returned.