Splunk Enterprise Security

Sonultra TAXII: How to add Threat Intelligence to my Splunk ES via the HISAC taxii discovery service?

michaeltayo
Explorer

I am trying to add Threat Intelligence to my Splunk ES via the HISAC taxii discovery service

I have set up the Intelligence Download with configs:
TYPE: taxii
URL: https://members.nhisac.org/taxii-discovery-service

POST ARGUMENT: collection="" earliest="-90d" taxii_username=""
taxii_password="PASSWORD"

In the Threat Intel Audit tab, the status is "TAXII feed polling starting" and has not changed.

Does anyone know if this is the correct way to do this?

Labels (2)

comrumino
Engager

Splunk is moving from using Stix/Taxii to using the TA TruStar. To get intel feeds, such as H-ISAC, the TruStar TA is the way to go. 
https://www.trustar.co/splunk-siem-and-trustar
https://splunkbase.splunk.com/app/5542/

I hope this helps!

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...