Using certificate-based auth for a TAXII Threat In...

AGLbwa · ‎06-23-2018

I notice that Splice was deprecated as ES (allegedly) did everything Splice did, however one thing Splice supported that ES does not (seem to) is additional auth factors besides username and password. Splice had parameters taxii_cert_pem and taxi_cert_key. Is my understanding that ES TAXII downloads do not support these correct, or do I simply need to know the magic post parameters invocation to get this working. Any help much appreciated, but I'm reading the source in parallel and will follow up with the answer if none is forthcoming.

AGLbwa · ‎06-23-2018

Ok so to save anyone else going hunting, reading contrib/libtaxii/clients.py, it looks like post params is indeed the way to go, thusly:
collection="stuffIwant" auth_type="AUTH_CERT_BASIC" key_file="/path/to/key.key" cert_file="/path/to/cert.crt" username="blah" password="blahblah"

Hope this helps somebody else!

Best regards,
Barry

AGLbwa · ‎06-23-2018

Or you could just be smarter than me and read the answer in the ES Admin Manual. (Groans and shakes head).

AGLbwa · ‎06-23-2018

Correction: auth_type doesn't get set, it's derived from the provided params. The correct parameters for username and password are taxii_username and taxii_password

Using certificate-based auth for a TAXII Threat Intel download?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk