Skip to main content
Splunk Lantern is a nominee for Knowledge Innovation and Knowledge Management in the CXOne Customer Recognition Awards. Click here to vote for us!
Lantern Home

 

Splunk Lantern

CTIS Integration Overview

  1. Last updated
  2. Save as PDF

Splunk Enterprise Security (ES) integrates with the CTIS service for IOC ingestion and reporting through the following standards-based protocols: 

  • TAXII: Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. ​TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers. TAXII is essentially the transport protocol that supports exchange of the actual Threat Intelligence information using STIX over the TAXII protocol. Further information regarding the TAXII protocol standard can be found here
  • STIX: Structured Threat Information Expression (STIX) is a language and serialisation format used to exchange cyber threat intelligence (CTI). STIX defines the structure of the actual Threat Intelligence information transported over the TAXII protocol, and is important to ensure the IOC information is parsed correctly when ingested. Further information regarding the STIX protocol standard can be found here

The table below shows the versions of these protocols that have been validated and are supported for use with the CTIS service with different versions of Splunk Enterprise Security (ES). It is likely that support for TAXII 1.x will be removed from most TI services including CTIS over the short term as they move to standardising on TAXII 2.x. With this in mind, it is recommended that at least ES 8.2 or later is used for full support of CTIS functionality using TAXII 2.x. 

ES Version TAXII 1.x Support TAXII 2.x Support STIX 2.x Support
ES 7.3 *
ES 8.0 *
ES 8.1 *
ES 8.2+

Special notes:

  • Prior to ES 8.2, only TAXII 1.x is supported by ES TIF for CTIS integration for IOC ingestion.
  • ACSC have advised that the CTIS service will cease support of TAXII 1.x on 30 June 2026. Ingestion feeds configured via TAXII 1.x will cease to work after this date.
  • The recommended method for CTIS integration for IOC ingestion across all types of Splunk deployments is to use ES TIF using TAXII 2.x with ES 8.2 or later.
  • TIF supports more advanced configuration options, has native diagnostic features, and is not limited to only three custom TAXII feeds.
  • Splunk Cloud Platform customers running ES versions prior to ES 8.2 can optionally use TAXII 2.x for ingestion via the Splunk Threat Intelligence Management (TIM) service.
  • The Splunk Threat Intelligence Management (TIM) service is limited to a maximum of three custom TAXII 1.x feeds and three custom TAXII 2.x feeds.
  • The Splunk Threat Intelligence Management (TIM) service has no options to customise ingestion parameters such as timeouts, collection download sizes, and polling intervals.
  • Configuration of CTIS integration for IOC ingestion via the Splunk Splunk Threat Intelligence Management (TIM) service is outside of the scope of this guide.

Next step