Skip to main content
Splunk Lantern is a nominee for Knowledge Innovation and Knowledge Management in the CXOne Customer Recognition Awards. Click here to vote for us!
Lantern Home

 

Splunk Lantern

CTIS Integration - CTIS Service Configuration

  1. Last updated
  2. Save as PDF

Background 

Organisations wishing to integrate Splunk with the ASD/ACSC CTIS service should review all the relevant CTIS documentation available in the Australian Cyber Security Centre (ACSC) Partner Portal before configuring the integration. Documents are accessible in the portal, and it is recommended that organisations review the following: 

  • ASD CTIS Partner Portal User Guide: How to configure the service via the portal and details on the various collections (IOC feeds)
  • CTIS Information Guide for Partners: General information about the service and its use
  • ASD Connection Guide for CTIS Community Partners: Information regarding the configuration of specific products such as the Splunk platform to use the CTIS service

This Lantern article is the primary source of truth for the recommended method and steps to configure Splunk Enterprise Security to use the CTIS service for IOC ingestion and reporting. Some sources, such as older versions of the ASD Connection Guide mentioned above, contain out of date information and should not be used.

CTIS Connection Configuration 

Before configuring Splunk integration with the CTIS service, the administrator for your organisation's ACSC/ASD portal will need to configure CTIS connection credentials and allowlist the IP addresses of your Splunk ES Search Head when creating each CTIS connection in order to allow authenticated access to the CTIS TAXII REST APIs. There are two general requirements to ensure that you follow when configuring these in the portal: 

  • Allowlisting IP addresses for access to the CTIS service: The Splunk source address required to be allowlisted for the connection to the CTIS service will be from your search head(s) running Splunk Enterprise Security. For more information regarding configuring credentials and the requirements for allowlisting, see the CTIS documentation published in the ACSC/ASD portal.
  • Configuring credentials based on the version of the TAXII protocol you will be using: Each credential configured in the portal can only support either TAXII1.2 or TAXII2.1, so you need to configure credentials based on how you will connect to the service. For example, if you are using ES version 8.1 or earlier, you will need to configure a TAXII1.2 credential for ingestion and a TAXII2.1 credential for IOC reporting back to the CTIS service, as only TAXII2.x is supported with the Splunk app for IOC reporting. If you are using ES 8.2 and later, you can configure a single credential using TAXII 2.1 for both IOC ingestion and reporting. CTIS support for TAXII 1.x will cease on June 30 2026.

Previous step

Next step