Splunk Enterprise Security

Using certificate-based auth for a TAXII Threat Intel download?

Path Finder

I notice that Splice was deprecated as ES (allegedly) did everything Splice did, however one thing Splice supported that ES does not (seem to) is additional auth factors besides username and password. Splice had parameters taxiicertpem and taxicertkey. Is my understanding that ES TAXII downloads do not support these correct, or do I simply need to know the magic post parameters invocation to get this working. Any help much appreciated, but I'm reading the source in parallel and will follow up with the answer if none is forthcoming.

0 Karma

Path Finder

Ok so to save anyone else going hunting, reading contrib/libtaxii/clients.py, it looks like post params is indeed the way to go, thusly:
collection="stuffIwant" authtype="AUTHCERTBASIC" keyfile="/path/to/key.key" cert_file="/path/to/cert.crt" username="blah" password="blahblah"

Hope this helps somebody else!

Best regards,
Barry

Path Finder

Or you could just be smarter than me and read the answer in the ES Admin Manual. (Groans and shakes head).

0 Karma

Path Finder

Correction: authtype doesn't get set, it's derived from the provided params. The correct parameters for username and password are taxiiusername and taxii_password

0 Karma