All Apps and Add-ons

Anyone use SPLICE app to import TAXII feeds from Soltra Edge?

jeffy_a
New Member

Having some trouble getting the IOC - TAXII feed input configured to poll our Soltra Edge repository. Has anyone gotten this working yet? Authentication is fine/tested, it connects to the right port, etc, even finds the default feed, but when trying to download the feed I get this error:

-0800 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" something went wrong with TAXII polling: StartTag: invalid element name, line 2789, column 2

I'm not really sure where to go from here, but if anyone could point me in the right direction, or where to look, that would be great. Thanks,

Jeff

Tags (1)
0 Karma
1 Solution

cleroux_splunk
Splunk Employee
Splunk Employee

This error is related to improper IOCs carried over TAXII. This is not a SPLICE issue.
The bug is either in the TAXII server or the TAXII feed that let invalid messages be carried over TAXII/XML.

SPLICE v1.3.4 will provides a way to identify problematic IOCs.

Technical details can be found here: https://github.com/TAXIIProject/libtaxii/issues/170

View solution in original post

cleroux_splunk
Splunk Employee
Splunk Employee

This error is related to improper IOCs carried over TAXII. This is not a SPLICE issue.
The bug is either in the TAXII server or the TAXII feed that let invalid messages be carried over TAXII/XML.

SPLICE v1.3.4 will provides a way to identify problematic IOCs.

Technical details can be found here: https://github.com/TAXIIProject/libtaxii/issues/170

jeffy_a
New Member

Thanks for your help with this Cedric, I'll be passing along the analysis and comments to the folks at Soltra. All the best,

Jeff

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...