All Apps and Add-ons

Anyone use SPLICE app to import TAXII feeds from Soltra Edge?

jeffy_a
New Member

Having some trouble getting the IOC - TAXII feed input configured to poll our Soltra Edge repository. Has anyone gotten this working yet? Authentication is fine/tested, it connects to the right port, etc, even finds the default feed, but when trying to download the feed I get this error:

-0800 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" something went wrong with TAXII polling: StartTag: invalid element name, line 2789, column 2

I'm not really sure where to go from here, but if anyone could point me in the right direction, or where to look, that would be great. Thanks,

Jeff

Tags (1)
0 Karma
1 Solution

cleroux_splunk
Splunk Employee
Splunk Employee

This error is related to improper IOCs carried over TAXII. This is not a SPLICE issue.
The bug is either in the TAXII server or the TAXII feed that let invalid messages be carried over TAXII/XML.

SPLICE v1.3.4 will provides a way to identify problematic IOCs.

Technical details can be found here: https://github.com/TAXIIProject/libtaxii/issues/170

View solution in original post

cleroux_splunk
Splunk Employee
Splunk Employee

This error is related to improper IOCs carried over TAXII. This is not a SPLICE issue.
The bug is either in the TAXII server or the TAXII feed that let invalid messages be carried over TAXII/XML.

SPLICE v1.3.4 will provides a way to identify problematic IOCs.

Technical details can be found here: https://github.com/TAXIIProject/libtaxii/issues/170

jeffy_a
New Member

Thanks for your help with this Cedric, I'll be passing along the analysis and comments to the folks at Soltra. All the best,

Jeff

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...