We have looked at adding some threat intelligence apps to our Enterprise Security instance and have decided that we can consume the information that we are looking for via TAXII feed. The instructions on this page (docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists) lay out how to configure this in Splunk Web but don't provide any instructions on how to add them directly in a conf file which is what you have to do in a search head cluster. So my question is:
Where is the config file to make add these feeds and are there instructions on how to make these changes directly in the conf files?
↧