CTIS Integration Overview

Splunk Enterprise Security (ES) integrates with the CTIS service via standards-based protocols as outlined below: 

• TAXII - Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. ​TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers.  TAXII is essentially the transport protocol that supports exchange of the actual Threat Intelligence information using STIX over the TAXII protocol. Further information regarding the TAXII protocol standard can be found here. 
• STIX - Structured Threat Information Expression (STIX) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX defines the structure of the actual Threat Intelligence information transported over the TAXII protocol and is important to ensure the IOC information is parsed correctly when ingested. Further information regarding the STIX protocol standard can be found here. 

Versions of these protocols have been validated and are supported for use with the CTIS service with the following versions of Splunk ES. It is likely that support for TAXII 1.x will be removed from many TI services over the coming months/years as they move to standardising on TAXII 2.x. It is recommended that Enterprise Security 8.2.3 or later is used for full support of Threat Intelligence with Mission Control. 

* TAXII 2.x is supported only for IOC report submission via the open-source plugin. TAXII 1.x is the only supported version in ES TIF versions prior to 8.2. Splunk Cloud Platform customers running ES versions prior to 8.2 can optionally utilise TAXII 2.x for ingestion via the Splunk Threat Intelligence Management (TIM) service. Configuration of the TIM service is outside of the scope of this document and use of ES TIF is recommended instead due to greater configuration flexibility.