The ThreatPipes TAXII Connect App provides a way of consuming indicators of compromise (IOCs) in Splunk from TAXII Servers.
Connect Splunk to any TAXII server, including Anomali STAXX, Soltra Edge, MISP, and ThreatPipes. Leverage the indicators to block threats and provide greater context than common threat feeds.
TAXII Connect currently support STIX 1.1, STIX 2.0, TAXII 1.1, STIX 2.0.
Please note that TAXII Connect only works on Linux systems at this time.
TAXII Connect can be found on Splunk Base. Once downloaded, install the App as you would do with any other Splunk App.
TAXII Connect is supported in Splunk Search Head Clusters.
TAXII Connect does not impact your Splunk license. IOCs are stored directly in Splunk KVStores (out of the scope of Splunk licensing).
To add a TAXII input, navigate to:
TAXII Connect > Intelligence Downloads > Add New
Here are the minimal steps to follow to successfully automate the searching and recording of IOCs in your data.
The following steps are an illustration of the automation of searches of IOCs across proxy logs. The workflow is as follow:
Here is an example of such a search (points 1 and 2 from above).
index=proxy_logs | iocsearch map="cs_uri:url,cs_host:domain,src:ipv4-addr" | search ioc_indicators_count > 0 | ‘parse_ioc_indicators_json ‘ | rename _raw as raw_ | collect ‘iocs_detected_sum_index ‘ marker="marker=\"proxy\""
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.