I am trying to add Threat Intelligence to my Splunk ES via the HISAC taxii discovery service
I have set up the Intelligence Download with configs:TYPE: taxiiURL: https://members.nhisac.org/taxii-discovery-service
POST ARGUMENT: collection="" earliest="-90d" taxii_username=""taxii_password="PASSWORD"
In the Threat Intel Audit tab, the status is "TAXII feed polling starting" and has not changed.
Does anyone know if this is the correct way to do this?
Splunk is moving from using Stix/Taxii to using the TA TruStar. To get intel feeds, such as H-ISAC, the TruStar TA is the way to go. https://www.trustar.co/splunk-siem-and-trustarhttps://splunkbase.splunk.com/app/5542/I hope this helps!