Re: Where can I find the TAXII data?

danielbb · ‎07-30-2020

We enabled the TAXII feed and we see under Threat Intelligence Audit that the TAXII feed polling was starting. Where can I see the data itself?

ololdach · ‎10-02-2020

Hi, in the ES app, navigate to Security Intelligence -> Threat Intelligence -> Threat Artifacts

Please note that all Threat Intel is being normalised into a joint intel framework. In the sub-tabs you will find the intel relating to the different security domains. Looking at the intel details you will see some of them are from your TAXII feeds... provided the download was successful.

Cheers, Oliver

danielbb · ‎08-06-2020

I see another feed on the SH server at /opt/apps/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/emerging_threats_compromised_ip_blocklist.csv

Is there a way to see via the UI?

mzambrana123 · ‎07-30-2020

So assuming you have the Stix TAXII setup correctly you can see it by using the | `threat_group_intel` macros

danielbb · ‎09-18-2020

@mzambrana123 , I see data on the SH -

[<host>]$ pwd
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
[<host>]$ \ls -tlr
total 20
-rw-------+ 1 splunk splunk 15335 Sep 18 06:54 emerging_threats_compromised_ip_blocklist.csv

Is there a macro to see the data?

Where can I find the TAXII data?

using Enterprise Security

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Are you a member of the Splunk Community?

Where can I find the TAXII data?

using Enterprise Security

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ