All Apps and Add-ons

Anyone use SPLICE app to import TAXII feeds from Soltra Edge?

jeffy_a
New Member

Having some trouble getting the IOC - TAXII feed input configured to poll our Soltra Edge repository. Has anyone gotten this working yet? Authentication is fine/tested, it connects to the right port, etc, even finds the default feed, but when trying to download the feed I get this error:

-0800 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" something went wrong with TAXII polling: StartTag: invalid element name, line 2789, column 2

I'm not really sure where to go from here, but if anyone could point me in the right direction, or where to look, that would be great. Thanks,

Jeff

Tags (1)
0 Karma
1 Solution

cleroux_splunk
Splunk Employee
Splunk Employee

This error is related to improper IOCs carried over TAXII. This is not a SPLICE issue.
The bug is either in the TAXII server or the TAXII feed that let invalid messages be carried over TAXII/XML.

SPLICE v1.3.4 will provides a way to identify problematic IOCs.

Technical details can be found here: https://github.com/TAXIIProject/libtaxii/issues/170

View solution in original post

cleroux_splunk
Splunk Employee
Splunk Employee

This error is related to improper IOCs carried over TAXII. This is not a SPLICE issue.
The bug is either in the TAXII server or the TAXII feed that let invalid messages be carried over TAXII/XML.

SPLICE v1.3.4 will provides a way to identify problematic IOCs.

Technical details can be found here: https://github.com/TAXIIProject/libtaxii/issues/170

jeffy_a
New Member

Thanks for your help with this Cedric, I'll be passing along the analysis and comments to the folks at Soltra. All the best,

Jeff

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...