These generally worked for me as well, but I would note that some of the stanza's are invalid if you are not on a more current version of Splunk/ES combo. I would recommend starting out without sinkhole and is_threatintel otherwise the taxii polling won't even start. I found this out by restarting the splunk service and paying attention to the error streams that show up in the startup output. Errors will look like the following: Invalid key in stanza [threatlist://fs-isac-default] in /opt/splunk/etc/apps/SA-ThreatIntelligence/local/inputs.conf, line 47: is_threatintel (value: 1). Invalid key in stanza [threatlist://fs-isac-default] in /opt/splunk/etc/apps/SA-ThreatIntelligence/local/inputs.conf, line 52: sinkhole (value:0). I overlooked the original note on .crt and .key files need to be placed in the auth/ folder within the app. I found the following conf talk from 2017 as well which may help fill in some details for folks. Though it doesn't mention ISAC data specifically could be a good primer for others. https://conf.splunk.com/files/2017/slides/enterprise-security-biology-dissecting-the-splunk-enterprise-security-threat-intelligence-framework.pdf ... View more

Any updates on this thread? ... View more

I had a similar situation recently where this happen. Support suggested the answer above, but it was unfortunately too late as I had already removed core splunk. Some time passed and was at a point where I needed to bounce the splunkd service. After the service came back online I noticed that the SH was removed from the Search Heads Tab of the Indexer Clustering page. ... View more