Splunk® Intelligence Management (Legacy)

Workflow Apps

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Anomali Threatstream client to collect Indicator data from the Splunk Intelligence Management

Configure the Anomali Threatstream TAXII client to collect Indicator data from the Splunk Intelligence Management TAXII server and make that data available for analysis in Anomali Threatstream.

Prerequisites

Configure the Anomali Threatstream TAXII client

  1. Navigate to Settings > TAXII.
  2. Click the TAXII Feeds tab.
  3. Click Actions and select New TAXII Feed.
  4. Select the following options for the new feed:
    • Name for the TAXII Feed.
    • Expiration date. Use the default value of 90 days.
    • Whether to override the system confidence or not.
      If you check this option, set the confidence level. Use the default setting, which is unchecked.
  5. Navigate to Settings > TAXII.
  6. Click the Sites tab.
  7. Click Actions and select Add Site.
  8. Edit the following fields in the New Site dialog box:
    • Descriptive Name: Enter a the feed name. Include "Splunk Intelligence Management" in the name so that you can remember the feed source.
    • Discovery URL: Enter the discovery URL.
    • Authentication: Select Basic Authentication.
    • Username: Enter your Splunk Intelligence Management API key.
    • Password: Enter your Splunk Intelligence Management API secret.
  9. Click Add Site to create the new site. The new site appears on the Sites tab.
  10. Select the checkbox next to the site that you just created and click on [...] to configure it. The settings for that site are displayed.
  11. Confirm that DISCOVERY OK is selected in the Discovery box.
  12. Click Configure under the collection name to access the Feed Configuration dialog.
  13. Enter the following information in the Feed Configuration dialog:
    • Leave Subscription ID empty.
    • Select an Interval for how often to poll.
    • Select the Date and Time you want the poll to start.
    • Click Save and Run Now to complete the configuration.

Troubleshooting

If you do not see the Poll Collections tab after configuration, check the Threatstream User Administrator or the Users page to verify that the the user is granted the Import to TAXII Feeds permission.

Last modified on 27 July, 2022
PREVIOUS
Integrate Splunk Intelligence Management with Splunk Enterprise Security deployments to improve detection and triage 		  NEXT
Configure LogRhythm Threat Intelligence Services (TIS) to collect indicator data from Splunk Intelligence Management

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters