Did someone ever faced or implementing this on Splunk ES?. Im facing an issue when try add TAXII feed from OTX API connection,
i already check the connectivity, and made some changes on the configuration until disable the prefered captain on my search head, but it still not resolved. I also know there is an app for this, but just want to clarify are this option still supported or not.
Here my POST argument
URL: https://otx.alienvault.com/taxii/discovery
POST Argument: collection="user_otx" taxii_username="API key" taxii_password="foo"
But the download status keep on TAXII feed pooling starting, and when i check on the PID information
status="This modular input does not execute on search head cluster member" msg="will_execute"="false" config="SHC" msg="Deselected based on SHC primary selection algorithm" primary_host="None" use_alpha="None" exclude_primary="None"
Hi,
Did you consult this page?
https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Downloadthreatfeed
yes, I already follow that source too.