Setting up Splunk TAXII integration
To set up integration with TAXII v.1 using the Threat Intelligence Management:
- Add a new TAXII source.
Adding a TAXII source
- Specify the collection parameters:
- Url
- POST arguments
taxii_username="taxii" taxii_password="<token>" collection="<collection_name>"
Specifying collection parameters
The following collections are supported*:
TAXII collections
Collection description |
Collection name |
Collection ID** |
|---|---|---|
IP Reputation Data Feed This feed contains IP addresses from which malicious activity occurs or that can be used for malicious actions.
|
TAXII_IP_Reputation_Data_Feed |
0ae9affff4e51891814259e8942d94d3 |
TAXII_IP_Reputation_Data_Feed_High_Confidence |
1f3240c59c5cd4148197a3e17ae05466 |
|
TAXII_IP_Reputation_Data_Feed_Indicators |
e3b0eab15fd0b2063d2c741c990f8393 |
|
TAXII_IP_Reputation_Data_Feed_Indicators_High_Confidence |
b2d222813d61096390bc8c3e6e0746b5 |
|
Malicious URL Data Feed This feed contains malicious URLs and masks to detect malicious web resources. |
TAXII_Malicious_URL_Data_Feed |
d36535fc11c64814566e14b4e413f409 |
TAXII_Malicious_URL_Data_Feed_Indicators |
c11ae81e813b2f630b4139c8452d1e36 |
|
Phishing URL Data Feed This feed contains phishing URLs and masks to detect phishing web resources. |
TAXII_Phishing_URL_Data_Feed |
76d8f5b849e65f3e004fd032beff9c32 |
TAXII_Phishing_URL_Data_Feed_Indicators |
a8b13dcb35e66276b4f84ea5116731da |
|
Botnet CnC URL Data Feed This feed contains URLs and masks to detect command and control servers (C&C), and web resources that are related to botnets. |
TAXII_Botnet_CnC_URL_Data_Feed |
d500f962d42290ab422e62b8982bd81e |
TAXII_Botnet_CnC_URL_Data_Feed_Indicators |
db92fd382b6b81b84af7e7dc0d4fbe64 |
|
Malicious Hash Data Feed This feed contains hashes of malicious objects to detect the most dangerous, prevalent, and emerging malware. |
TAXII_Malicious_Hash_Data_Feed |
5ccc9874aaf16bc70b1e86de8e724ea3 |
TAXII_Malicious_Hash_Data_Feed_MD5 |
76d7c9bb29586bcc08b869181c4bb230 |
|
TAXII_Malicious_Hash_Data_Feed_SHA1 |
a6a08281bb751d2b12905e931b5aada2 |
|
TAXII_Malicious_Hash_Data_Feed_SHA256 |
924b35bdc26f3a31b27341d787a27753 |
|
TAXII_Malicious_Hash_Data_Feed_Indicators |
68e6d1051c70ab988a6d95ed5c2bfdf0 |
|
TAXII_Malicious_Hash_Data_Feed_Indicators_MD5 |
101f1489e604562010a7f801ca40e9f7 |
|
TAXII_Malicious_Hash_Data_Feed_Indicators_SHA1 |
58fd4d3cc5f1cdb95fc16ae9f062f124 |
|
TAXII_Malicious_Hash_Data_Feed_Indicators_SHA256 |
2552fa126704eab3ef72b836040f3b83 |
|
Mobile Malicious Hash Data Feed This feed contains hashes of malicious objects that target mobile platforms. |
TAXII_Mobile_Malicious_Hash_Data_Feed |
0d89f971a44f865679c691a811e4f620 |
TAXII_Mobile_Malicious_Hash_Data_Feed_MD5 |
d0bddc85730645176d1ebd6ebf9f19f2 |
|
TAXII_Mobile_Malicious_Hash_Data_Feed_SHA1 |
a47ca57d2fb3a9daef480508d18ec7d3 |
|
TAXII_Mobile_Malicious_Hash_Data_Feed_SHA256 |
895953dd7f11c8b97cbf324dc6aad305 |
|
TAXII_Mobile_Malicious_Hash_Data_Feed_Indicators |
3402f7b190340f693bdb000eb139a3fe |
|
TAXII_Mobile_Malicious_Hash_Data_Feed_Indicators_MD5 |
a81b3d34a0b13df5eac164ffba11fce7 |
|
TAXII_Mobile_Malicious_Hash_Data_Feed_Indicators_SHA1 |
60d4a31cc2ddfd2566dfc2132cc46ba1 |
|
TAXII_Mobile_Malicious_Hash_Data_Feed_Indicators_SHA256 |
51e46874ed7537a0044dd2c76798a248 |
|
APT IP Data Feed This feed contains IP addresses that are used in APT (Advanced Persistent Threat) campaigns. |
TAXII_APT_IP_Data_Feed |
a61ff46259490ccf69b55d6502f6d55c |
TAXII_APT_IP_Data_Feed_Indicators |
56a5a1d8e198ac959934c8db0891ba57 |
|
APT URL Data Feed This feed contains domains that are used in APT (Advanced Persistent Threat) campaigns.
|
TAXII_APT_URL_Data_Feed |
7489f412c65d341711ecec0c8cbe5ddf |
TAXII_APT_URL_Data_Feed_Indicators |
ab633ebb6561c0e7d483a0e376298f27 |
|
APT Hash Data Feed This feed contains hashes of malicious objects that are used by APT (Advanced Persistent Threat) threat actors to conduct APT campaigns.
|
TAXII_APT_Hash_Data_Feed |
52261ce9224a0060ada97eead36a6460 |
TAXII_APT_Hash_Data_Feed_MD5 |
223153d5d1fa0524255f4ba776f1dff7 |
|
TAXII_APT_Hash_Data_Feed_SHA1 |
2e6561007fe0e3d2e50b1dfb59e5925c |
|
TAXII_APT_Hash_Data_Feed_SHA256 |
6a4b0f0b0d029e91e8a2aac0352f6858 |
|
TAXII_APT_Hash_Data_Feed_Indicators |
b971fc4c656ce1a76bb452374ce0088f |
|
TAXII_APT_Hash_Data_Feed_Indicators_MD5 |
451014a45dc8f87ff206749b20a5823d |
|
TAXII_APT_Hash_Data_Feed_Indicators_SHA1 |
6e9a8e21400b1e396bbf8d51fc106e19 |
|
TAXII_APT_Hash_Data_Feed_Indicators_SHA256 |
a004f337cdd06eab197a4d498bd396fb |
*Contact your Account Manager for the full list of supported collections.
**Collection IDs may change.
Below is an example of the request for searching indicators with hashes:
Example of a search request
For more information, visit https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Downloadthreatfeed.
Page top