Splunk Enterprise Security

Where can I find the TAXII data?

danielbb
Motivator

We enabled the TAXII feed and we see under Threat Intelligence Audit that the TAXII feed polling was starting. Where can I see the data itself?

Labels (1)
Tags (1)
0 Karma

ololdach
Builder

Hi, in the ES app, navigate to Security Intelligence -> Threat Intelligence -> Threat Artifacts 

Please note that all Threat Intel is being normalised into a joint intel framework. In the sub-tabs you will find the intel relating to the different security domains. Looking at the intel details you will see some of them are from your TAXII feeds... provided the download was successful.

Cheers, Oliver

danielbb
Motivator

I see another feed on the SH server at /opt/apps/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/emerging_threats_compromised_ip_blocklist.csv

Is there a way to see via the UI?

 

 

0 Karma

mzambrana123
Explorer

So assuming you have the Stix TAXII setup correctly you can see it by using the | `threat_group_intel` macros

danielbb
Motivator

@mzambrana123 , I see data on the SH -

 

[<host>]$ pwd
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
[<host>]$ \ls -tlr
total 20
-rw-------+ 1 splunk splunk 15335 Sep 18 06:54 emerging_threats_compromised_ip_blocklist.csv

 

Is there a macro to see the data?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...