CTIS Integration - CTIS Service Configuration
Background
It is recommended that organisations wishing to integrate Splunk with the ASD/ACSC CTIS service review all the relevant CTIS documentation available via the portal prior to configuring integration. Documents are accessible via the portal, and it is recommended organisations review the following:
- ASD CTIS - Partner Portal User Guide
- CTIS Information Guide for Partners
- ASD Connection Guide for CTIS Community Partners
CTIS Connection Configuration
Prior to configuring Splunk integration with the CTIS service, the administrator for your organisation's ACSC/ASD portal will need to configure credentials and specify the whitelist addresses of your Splunk environment to authenticate and access the CTIS TAXII REST APIs. There are two general requirements when configuring this in the portal:
- Whitelisting IP addresses for access to the CTIS service - The Splunk source address required to be whitelisted for the connection to the CTIS service will be from your Search Head(s) running Splunk Enterprise Security. For more information regarding configuring credentials and the requirements for whitelisting, see the CTIS documentation published on the ACSC/ASD portal.
- Configuring credentials based on the version of the TAXII protocol you will be using - Each credential configured in the portal can only support either TAXII1.2 or TAXII2.1, so you need to configure credentials based on how you will connect to the service, i.e. if you have a version of ES prior to 8.2 you will need to configure a TAXII1.2 credential for ingestion and a TAXII2.1 credential for IOC reporting back to the CTIS service as only TAXII2.x is supported with the Splunk plugin for IOC reporting. If you are using ES 8.2 and later, you can configure a single credential for both ingestion and reporting.