Splunk Enterprise Security

STIX TAXII Data Not Showing On Some Days

aithau
New Member

The FS-ISAC Threat Intelligence STIX TAXII has been enabled in our environment. We received all IOCs from 4/2 but did not receive any on 4/3 or 4/9. I am trying to determine what happened on those days. I believe we are getting the files but I can't tell if there's an issue maybe with parsing or somewhere else.

The download log shows:

2020-04-13 09:12:41,658+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:314 | status="Retrieved document from TAXII feed" stanza="FS-ISAC" collection="system.Default"
2020-04-13 09:12:41,113+0000 INFO pid=21356 tid=MainThread file=init.py:_poll_taxii_11:60 | Auth Type: AUTH_CERT_BASIC
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC"
2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:435 | status="retrieved_checkpoint_data" stanza="FS-ISAC" last_run="1586725961.53"
2020-04-13 09:12:40,877+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:421 | status="continuing" msg="Processing stanza" name="threatlist://FS-ISAC"

The intel manager shows:
2020-04-13 15:04:17,057+0000 INFO pid=269178 tid=MainThread file=stix_parser.py:preprocess:178 | status="Finished parsing STIX documents" filename="/opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/FS-ISAC_TAXII_system.Default_2020-04-09T16-57-49.076713.xml" success="323" failed="0"

So it looks like they were successful but I do not see them in IP_intel, File_intel, etc. Where else can I look to see any issues or what else can I do? Any help us greatly appreciated.

0 Karma

dantimola
Communicator

Have you resolved this already? Would you mind sharing the solution? I'm having the same problem right now.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...