Splunk Search

Splunk ES Threat Intelligence TAXII feed with API POST Argument

elend
Path Finder

Did someone ever faced or implementing this on Splunk ES?. Im facing an issue when try add TAXII feed from OTX API connection,

i already check the connectivity, and made some changes on the configuration until disable the prefered captain on my search head, but it still not resolved. I also know there is an app for this, but just want to clarify are this option still supported or not.

Here my POST argument

URL: https://otx.alienvault.com/taxii/discovery
POST Argument: collection="user_otx" taxii_username="API key" taxii_password="foo"

But the download status keep on TAXII feed pooling starting, and when i check on the PID information 

status="This modular input does not execute on search head cluster member" msg="will_execute"="false" config="SHC" msg="Deselected based on SHC primary selection algorithm" primary_host="None" use_alpha="None" exclude_primary="None"

 

Labels (1)
Tags (2)
0 Karma

JohnEGones
Communicator

elend
Path Finder

yes, I already follow that source too.

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...