The app enables streamlined ingestion of Indicators of Compromise (IOCs) from TAXII 2.x feeds directly into Splunk. It solves the common challenge of operationalizing external threat intelligence: pulling structured threat data on a schedule, normalizing it, and making it instantly searchable for detection, investigation, and reporting.
With a simple setup page for global settings and a lightweight modular input per collection, the app continuously collects new IOCs using incremental checkpoints, so you only ingest what’s changed. Built‑in pagination, retry/backoff, and time handling ensure reliable operation, while you control where data lands (index/sourcetype) and how far back to fetch on first run.
Highlights
- Direct TAXII 2.x ingestion into Splunk
- Incremental updates with durable checkpoints (no duplicate floods)
- Configurable initial lookback window and collection‑level inputs
- Works with customer‑defined index, sourcetype, and interval
- Ready‑to‑search IOC fields (indicator, indicator_type, STIX metadata)
- Robust handling for pagination and transient HTTP errors (429/5xx)
Use cases
- Enrich detections with current domain/IP/hash IOCs
- Power investigations and threat hunting with up‑to‑date intel
- Feed dashboards and alerts with high‑fidelity threat indicators
