Splunk® Intelligence Management (Legacy)

Workflow Apps

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Splunk Intelligence Management TAXII Server

The Splunk Intelligence Management TAXII server provides access to Indicators in STIX and TAXII format.

Trusted Automated Exchange of Intelligence Information (TAXII) is an application layer protocol used to exchange cyber threat intelligence (CTI) over HTTPS. It enables organizations to share information using an API that aligns with common sharing models. TAXII is specifically designed to support the exchange of CTI represented in STIX, although it can share data in other formats as well.

Supported Version

  • The Splunk Intelligence Management TAXII server supports TAXII Server version 1.2
  • The current version of the Splunk Intelligence Management code is TruSTAR_TAXIIv3.0.

Splunk Intelligence Management also provides a TAXII client intelligence source through the Marketplace. This is a convenient way to ingest intelligence from other TAXII services into your Splunk Intelligence Management Enclaves.

Features

  • Exports Indicators from Splunk Intelligence Management Enclaves using your choice of STIX format.
  • Exports indicators within a specified time window.
  • Discovers all available services with the Splunk Intelligence Management TAXII Server.

The Splunk Intelligence Management TAXII service provides a subset of Indicators from the Splunk Intelligence Management platform. Any query to a collection returns all Indicators in that collection that were submitted in the last 24 hours to any Enclaves you have access to.

TAXII Services

The Splunk Intelligence Management TAXII server supports the following TAXII services:

TAXII Service Description
Poll Request information from a TAXII Server.
URL: https://taxii.trustar.co/services/poll
Collection-Management Request information about available Data Collections or request a subscription.
URL: https://taxii.trustar.co/services/collection-management
Discovery Discover available TAXII Services.
URL: https://taxii.trustar.co/services/discovery

TAXII Collections

The Splunk Intelligence Management TAXII Server offers the following Indicator collections:

Collection Name Description
collection-indicator-IP Collection of all IP addresses.
collection-indicator-URL Collection of all URL's.
collection-indicator-MD5 Collection of all MD5 hashes.
collection-indicator-SHA1 Collection of all SHA1 hashes.
collection-indicator-SHA256 Collection of all SHA256 hashes.
collection-indicator-EMAIL_ADDRESS Collection of all email addresses.
collection-indicator-REGISTRY_KEY Collection of all registry keys.
collection-indicator-BITCOIN_ADDRESS Collection of all bitcoin addresses.
collection-indicator-PHONE NUMBERS Collection of all TruSTAR phone number indicators.
collection-indicator-ALL Collection of all available Indicators of types listed above

Web interface configuration

If your TAXII client meets the requirements listed above, you do not need to download or install any additional files in order to connect to the Splunk Intelligence Management TAXII server. You can use the client GUI to connect to the discovery service or the collection management service and find all collections available for download.

For example, if you are using Log Rhythm Threat Intelligence Services, you can use that TAXII client to connect to Splunk Intelligence Management's TAXII server. More details on connecting to Splunk Intelligence Management TAXII server using LogRhythm can be found here.

  1. Select the Add a STIX/TAXII Provider button. You now see a TAXII client setup page.
  2. Fill out the Information as it applies to your client:
    • TAXII Collection Endpoint: https://taxii.trustar.co/services/collection-management
    • Username: This is your Splunk Intelligence Management API Key. Finding Your API Keys
    • Password: This is your Splunk Intelligence Management API Secret.
    • Certificate Authentication: Leave unchecked and ignore Certificate Password and Certificate Path.
    • Threat Provider Name: Use any name your of choice (Ex: "Splunk Intelligence Management" or "Splunk Intelligence Management Sharing Group IOCs")

You now see the list of available collections and you can select which ones to access via the TAXII client.

Command Line Usage

To query the Splunk Intelligence Management TAXII server from the command line, create a Python 3 virtual environment, activating it, and pip-installing the libtaxii library. Anytime that virtual environment is activated, you can poll any TAXII server (including Splunk Intelligence Management's) from the command-line by following the libtaxii project's documentation.

Other open-source TAXII clients:

Splunk Intelligence Management TAXII Server Parameters

Description Libtaxii parameter Required Value
URL to connect -u, --url Yes Always use: https://taxii.trustar.co/services/
Username --username Yes Use your TruSTAR API Key. Finding Your API Keys
Example: >>>......--username aca05832-f1a0-0184-8f67-5741fffe7a14......
Password --pass Yes User your TruSTAR API Secret.
Example: >>>......--pass Tzw4FLIX0rW338i7jYU3UgU0......
Collection to use --collection Yes See next section
Example: >>>.....--collection collection-indicator-IP.......
Time --time No Specify a "from" time
Example:>>>..... -t <Time_in_UTC :00:00:000>
Allows the user to specify a "from" time; the TAXII server will return all Indicators from the Enclaves you have View (or higher) access to whose "timeUpdated" attribute is between the time you specify in this parameter and the present moment.

Default is last 24 hours.

Proxy --proxy No Specify a proxy
Example: >>>.....--proxy http://myproxy.example.com:80........
Cert --cert No Specify a certificate file
Example: >>>.....--cert <MyCert.crt>
Cert Key --key No Only needed if you use the --cert parameter
Example: >>> --key MyKey.key
Output --xml-output or --json-output No Specify a STIX file output. The default is XML.
Example:>>> --xml-output or json-output

Client Calls and Responses

This section lists the libtaxii client calls and responses.

Discovery

python discovery_client.py -u https://taxii.trustar.co/services/discovery --username <API Credential> --pass <API key>

Sample Response 

Request:

Message Type: Discovery_Request
Message ID: 377306701207002283

Response:

Message Type: Discovery_Response
Message ID: 6034388875283072057; In Response To: 377306701207002283
  === Service Instance ===
    Service Type: POLL
    Service Version: urn:taxii.mitre.org:services:1.1
    Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
    Service Address: https://taxii.trustar.co/services/poll
    Message Binding: urn:taxii.mitre.org:message:xml:1.0
    Message Binding: urn:taxii.mitre.org:message:xml:1.1
    Available: True
    Message: Trustar indicator Poll Service description
  === Service Instance ===
    Service Type: DISCOVERY
    Service Version: urn:taxii.mitre.org:services:1.1
    Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
    Service Address: https://taxii.trustar.co/services/discovery
    Message Binding: urn:taxii.mitre.org:message:xml:1.0
    Message Binding: urn:taxii.mitre.org:message:xml:1.1
    Available: True
    Message: Trustar Discovery Service description
  === Service Instance ===
    Service Type: COLLECTION_MANAGEMENT
    Service Version: urn:taxii.mitre.org:services:1.1
    Protocol Binding: urn:taxii.mitre.org:protocol:https:1.0
    Service Address: https://taxii.trustar.co/services/collection-management
    Message Binding: urn:taxii.mitre.org:message:xml:1.0
    Message Binding: urn:taxii.mitre.org:message:xml:1.1
    Available: True
    Message: Trustar Collection Management Service description

Poll a Specific Collection

python poll_client.py -u https://taxii.trustar.co/services/poll --collection collection-indicator-IP --username <API Credential> --pass <API key>

Sample Response 

Request:

Message Type: Poll_Request
Message ID: 3641663190328146359
  Collection Name: collection-indicator-IP
  Excl. Begin TS Label: None
  Incl. End TS Label: None
  === Poll_Parameters ===
    Response type: FULL

Response:

Message Type: Poll_Response
Message ID: 3685762672097258501; In Response To: 3641663190328146359
  Collection Name: collection-indicator-IP
  More: False
  Result ID: None
  Result Part Num: 1
  === Content Block ===
    Content Binding: urn:stix.mitre.org:xml:1.1>IP
    Content length: 78959
    (Content not printed for brevity)
    Timestamp Label: 2019-03-12 23:12:34.222823+00:00
    Message: None
    Padding: None

File created: collection-indicator-IP_STIX11_t2019_03_12T23_12_34_222823_00_00.xml

Collection Management

python poll_client.py -u https://taxii.trustar.co/services/collection-management --username <API Credential> --pass <API key>

Sample Response 

Request:

Message Type: Collection_Information_Request
Message ID: 2357215507238313583

Response:

Message Type: Collection_Information_Response
Message ID: 4748931395125127784; In Response To: 2357215507238313583
Contains 9 Collection Informations
  === Data Collection Information ===
    Collection Name: collection-indicator-url
    Collection Type: DATA_SET
    Available: True
    Collection Description: None
    Supported Content: All
    === Polling Service Instance ===
      Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
      Poll Address: http://taxii.trustar.co/services/poll
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
    === Subscription Service ===
      Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
      Address: http://taxii.trustar.co/services/collection-management
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
  ==================================

  === Data Collection Information ===
    Collection Name: collection-indicator-IP
    Collection Type: DATA_SET
    Available: True
    Collection Description: None
    Supported Content: All
    === Polling Service Instance ===
      Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
      Poll Address: http://taxii.trustar.co/services/poll
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
    === Subscription Service ===
      Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
      Address: http://taxii.trustar.co/services/collection-management
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
  ==================================

  === Data Collection Information ===
    Collection Name: collection-indicator-MD5
    Collection Type: DATA_SET
    Available: True
    Collection Description: None
    Supported Content: All
    === Polling Service Instance ===
      Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
      Poll Address: http://taxii.trustar.co/services/poll
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
    === Subscription Service ===
      Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
      Address: http://taxii.trustar.co/services/collection-management
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
  ==================================

  === Data Collection Information ===
    Collection Name: collection-indicator-SHA1
    Collection Type: DATA_SET
    Available: True
    Collection Description: None
    Supported Content: All
    === Polling Service Instance ===
      Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
      Poll Address: http://taxii.trustar.co/services/poll
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
    === Subscription Service ===
      Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
      Address: http://taxii.trustar.co/services/collection-management
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
  ==================================

  === Data Collection Information ===
    Collection Name: collection-indicator-SHA256
    Collection Type: DATA_SET
    Available: True
    Collection Description: None
    Supported Content: All
    === Polling Service Instance ===
      Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
      Poll Address: http://taxii.trustar.co/services/poll
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
    === Subscription Service ===
      Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
      Address: http://taxii.trustar.co/services/collection-management
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
  ==================================

  === Data Collection Information ===
    Collection Name: collection-indicator-SOFTWARE
    Collection Type: DATA_SET
    Available: True
    Collection Description: None
    Supported Content: All
    === Polling Service Instance ===
      Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
      Poll Address: http://taxii.trustar.co/services/poll
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
    === Subscription Service ===
      Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
      Address: http://taxii.trustar.co/services/collection-management
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
  ==================================

  === Data Collection Information ===
    Collection Name: collection-indicator-EMAIL_ADDRESS
    Collection Type: DATA_SET
    Available: True
    Collection Description: None
    Supported Content: All
    === Polling Service Instance ===
      Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
      Poll Address: http://taxii.trustar.co/services/poll
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
    === Subscription Service ===
      Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
      Address: http://taxii.trustar.co/services/collection-management
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
  ==================================

  === Data Collection Information ===
    Collection Name: collection-indicator-REGISTRY_KEY
    Collection Type: DATA_SET
    Available: True
    Collection Description: None
    Supported Content: All
    === Polling Service Instance ===
      Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
      Poll Address: http://taxii.trustar.co/services/poll
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
    === Subscription Service ===
      Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
      Address: http://taxii.trustar.co/services/collection-management
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
  ==================================

  === Data Collection Information ===
    Collection Name: collection-indicator-CIDR_BLOCK
    Collection Type: DATA_SET
    Available: True
    Collection Description: None
    Supported Content: All
    === Polling Service Instance ===
      Poll Protocol: urn:taxii.mitre.org:protocol:http:1.0
      Poll Address: http://taxii.trustar.co/services/poll
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
    === Subscription Service ===
      Protocol Binding: urn:taxii.mitre.org:protocol:http:1.0
      Address: http://taxii.trustar.co/services/collection-management
      Message Binding: urn:taxii.mitre.org:message:xml:1.0
      Message Binding: urn:taxii.mitre.org:message:xml:1.1
  ==================================

Optional Parameters

python poll_client.py -u https://taxii.trustar.co/services/poll -- collection collection-indicator-IP --time <Time_in_UTC :00:00:000> --username <API Credential> --pass <API key> --key <MyKey.key> --username<api_key> --proxy <http://myproxy.example.com:80> --xml-output

STIX Package with additional metadata 

<stix:Indicator id="example:indicator-8aad8469-1054-4f06-84ab-9460c98bf24e" timestamp="2020-04-15T17:14:31.607354+00:00" xsi:type="indicator:IndicatorType">
    <indicator:Title>IP</indicator:Title>
    <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
    <indicator:Description>IOC from Virus Total. Tags: [tag1, tag2]</indicator:Description>
    <indicator:Observable id="example:Observable-78b22981-4365-4521-8086-f713635be7a4">
        <cybox:Object id="example:Address-b6e908ac-8839-44f6-a872-e1469dd0d4af">
            <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
                <AddressObj:Address_Value>12.5.37.3</AddressObj:Address_Value>
            </cybox:Properties>
        </cybox:Object>
    </indicator:Observable>
    <indicator:Confidence timestamp="2020-04-15T17:14:31.608393+00:00">
        <stixCommon:Value>1</stixCommon:Value>
    </indicator:Confidence>
    <indicator:Sightings sightings_count="1366">
        <indicator:Sighting timestamp="2020-04-15T14:14:31.608613+00:00"/>
    </indicator:Sightings>
    <indicator:Producer>
        <stixCommon:Identity>
            <stixCommon:Name>TruStar</stixCommon:Name>
        </stixCommon:Identity>
    </indicator:Producer>
</stix:Indicator>

Using TAXII clients from other tools with the Splunk Intelliegence Management TAXII Server

You can use a TAXII client to download data from the Splunk Intelliegence Management TAXII Server.

Requirements

The TAXII client you use must meet the following requirements in order to connect to the Splunk Intelliegence Management TAXII server:

  • TAXII Version 1.2 or higher
  • Able to accept STIX 1.2 formatted packages
  • Splunk Intelliegence Management API v1.3 (Provided by Splunk Intelliegence Management)
  • Splunk Intelliegence Management Python SDK v0.3.23 (Provided by Splunk Intelliegence Management)
  • Able to connect to these services supported by the Splunk Intelliegence Management TAXII Server:
    • Discovery
    • Collection Management
    • Collection Polling

A subscription ID is not required to access Splunk Intelliegence Management's TAXII server data.

Accessing an Enclave

By default, the Splunk Intelliegence Management TAXII server will serve Indicators from all Splunk Intelliegence Management Enclaves that your Splunk Intelliegence Management user account has access to.

Downloading from a Single Enclave

To download from a single Enclave, Splunk Intelliegence Management recommends a two-step process:

  1. Create a new User Account in the Splunk Intelliegence Management Web App. Think of this as a service account; use a team or group email address for this user account's username to distinguish its limited access from other user accounts that have full access to Splunk Intelliegence Management Enclaves.
  2. Give that account view access only to the Enclave you want to download from. For more information on how to do this, see Managing Users.

Downloading from Multiple Enclaves

If you need to download Indicators from multiple Enclaves AND need to know which Enclave each Indicator came from, TruSTAR recommends creating several service accounts, with each account having view access to a single Enclave. You can then make poll requests to the TAXII server one service account at a time.

If you are using a TAXII client within a third-party application (for example, LogRhythm), you must configure a new Splunk Intelliegence Management TAXII server connection for each Enclave that you want to query.

Managing Whitelisted Indicators

When connecting your TAXII client to the Splunk Intelliegence Management TAXII server, the client will import all Indicators, even those that you have safelisted in Splunk Intelliegence Management.

To avoid this, choose one of the following options:

  • Manually delete those Indicators by hand in the Splunk Intelliegence Management Web App before the TAXII client connection is made
  • Programatically remove them from the TAXII Server's response to your TAXII client after downloading them from Splunk Intelliegence Management.
Last modified on 21 April, 2022
PREVIOUS
Palo Alto MineMeld 		 

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters