Splunk Enterprise Security

Using certificate-based auth for a TAXII Threat Intel download?

AGLbwa
Path Finder

I notice that Splice was deprecated as ES (allegedly) did everything Splice did, however one thing Splice supported that ES does not (seem to) is additional auth factors besides username and password. Splice had parameters taxii_cert_pem and taxi_cert_key. Is my understanding that ES TAXII downloads do not support these correct, or do I simply need to know the magic post parameters invocation to get this working. Any help much appreciated, but I'm reading the source in parallel and will follow up with the answer if none is forthcoming.

0 Karma

AGLbwa
Path Finder

Ok so to save anyone else going hunting, reading contrib/libtaxii/clients.py, it looks like post params is indeed the way to go, thusly:
collection="stuffIwant" auth_type="AUTH_CERT_BASIC" key_file="/path/to/key.key" cert_file="/path/to/cert.crt" username="blah" password="blahblah"

Hope this helps somebody else!

Best regards,
Barry

AGLbwa
Path Finder

Or you could just be smarter than me and read the answer in the ES Admin Manual. (Groans and shakes head).

0 Karma

AGLbwa
Path Finder

Correction: auth_type doesn't get set, it's derived from the provided params. The correct parameters for username and password are taxii_username and taxii_password

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...