CTIS Integration Overview

Splunk Enterprise Security (ES) integrates with the CTIS service through the following standards-based protocols: 

• TAXII - Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. ​TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers. TAXII is essentially the transport protocol that supports exchange of the actual Threat Intelligence information using STIX over the TAXII protocol. Further information regarding the TAXII protocol standard can be found here. 
• STIX - Structured Threat Information Expression (STIX) is a language and serialisation format used to exchange cyber threat intelligence (CTI). STIX defines the structure of the actual Threat Intelligence information transported over the TAXII protocol, and is important to ensure the IOC information is parsed correctly when ingested. Further information regarding the STIX protocol standard can be found here. 

The table below shows the versions of these protocols that have been validated and are supported for use with the CTIS service with different versions of Splunk Enterprise Security (ES). It is likely that support for TAXII 1.x will be removed from many TI services over the coming months/years as they move to standardising on TAXII 2.x. It is recommended that ES 8.2.3 or later is used for full support of Threat Intelligence with Splunk Mission Control. 

* TAXII 2.x is supported only for IOC report submission through the open-source plugin. TAXII 1.x is the only supported version in ES TIF versions before 8.2. Splunk Cloud Platform customers running ES versions before 8.2 can optionally use TAXII 2.x for ingestion via the Splunk Threat Intelligence Management (TIM) service. Configuration of the TIM service is outside of the scope of this document and use of ES TIF is recommended instead due to greater configuration flexibility.