Splunk ES Threat Intelligence TAXII feed with API ...

elend · ‎08-12-2024

Did someone ever faced or implementing this on Splunk ES?. Im facing an issue when try add TAXII feed from OTX API connection,

i already check the connectivity, and made some changes on the configuration until disable the prefered captain on my search head, but it still not resolved. I also know there is an app for this, but just want to clarify are this option still supported or not.

Here my POST argument

URL: https://otx.alienvault.com/taxii/discovery
POST Argument: collection="user_otx" taxii_username="API key" taxii_password="foo"

But the download status keep on TAXII feed pooling starting, and when i check on the PID information

status="This modular input does not execute on search head cluster member" msg="will_execute"="false" config="SHC" msg="Deselected based on SHC primary selection algorithm" primary_host="None" use_alpha="None" exclude_primary="None"

JohnEGones · ‎08-13-2024

Hi,

Did you consult this page?

https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Downloadthreatfeed

elend · ‎08-13-2024

yes, I already follow that source too.

Splunk ES Threat Intelligence TAXII feed with API POST Argument

other

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?