Splunk Enterprise Security

Where can I find the TAXII data?

danielbb
Motivator

We enabled the TAXII feed and we see under Threat Intelligence Audit that the TAXII feed polling was starting. Where can I see the data itself?

Labels (1)
Tags (1)
0 Karma

ololdach
Builder

Hi, in the ES app, navigate to Security Intelligence -> Threat Intelligence -> Threat Artifacts 

Please note that all Threat Intel is being normalised into a joint intel framework. In the sub-tabs you will find the intel relating to the different security domains. Looking at the intel details you will see some of them are from your TAXII feeds... provided the download was successful.

Cheers, Oliver

danielbb
Motivator

I see another feed on the SH server at /opt/apps/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/emerging_threats_compromised_ip_blocklist.csv

Is there a way to see via the UI?

 

 

0 Karma

mzambrana123
Explorer

So assuming you have the Stix TAXII setup correctly you can see it by using the | `threat_group_intel` macros

danielbb
Motivator

@mzambrana123 , I see data on the SH -

 

[<host>]$ pwd
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
[<host>]$ \ls -tlr
total 20
-rw-------+ 1 splunk splunk 15335 Sep 18 06:54 emerging_threats_compromised_ip_blocklist.csv

 

Is there a macro to see the data?

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...