- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where can I find the TAXII data?
We enabled the TAXII feed and we see under Threat Intelligence Audit that the TAXII feed polling was starting. Where can I see the data itself?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, in the ES app, navigate to Security Intelligence -> Threat Intelligence -> Threat Artifacts
Please note that all Threat Intel is being normalised into a joint intel framework. In the sub-tabs you will find the intel relating to the different security domains. Looking at the intel details you will see some of them are from your TAXII feeds... provided the download was successful.
Cheers, Oliver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see another feed on the SH server at /opt/apps/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/emerging_threats_compromised_ip_blocklist.csv
Is there a way to see via the UI?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So assuming you have the Stix TAXII setup correctly you can see it by using the | `threat_group_intel` macros
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mzambrana123 , I see data on the SH -
[<host>]$ pwd
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
[<host>]$ \ls -tlr
total 20
-rw-------+ 1 splunk splunk 15335 Sep 18 06:54 emerging_threats_compromised_ip_blocklist.csv
Is there a macro to see the data?
