Skip to main content
Connect Splunk Enterprise Security (ES) to the Reyhford TAXII 2.1 feed for automated threat intelligence ingestion.

Prerequisites

  • Splunk ES with Threat Intelligence Management
  • Reyhford API key from app.reyhford.com

Configure TAXII feed

  1. In Splunk ES, go to Configure → Content → Threat Intelligence Management → New Threat Intelligence Collection.
  2. Select TAXII as the source type.
  3. Enter server details:
FieldValue
Server URLhttps://api.reyhford.com/taxii2/
Collectionreyhford-global-feed
Username(leave blank)
Password / API KeyYour Reyhford API key
VersionTAXII 2.1
  1. Set polling interval to 15–60 minutes (recommended).
  2. Enable Use added_after for incremental updates.

STIX mapping

Reyhford returns STIX 2.1 indicator objects with:
  • pattern — observable (IPv4, port, protocol)
  • kill_chain_phases — MITRE tactic mapping
  • Custom extensions — x-reyhford-reputation for IP history
Splunk ES maps STIX indicators to notable events based on your correlation searches.

Verification

# Confirm feed connectivity outside Splunk
curl -s "https://api.reyhford.com/taxii2/collections/reyhford-global-feed/objects/?limit=1" \
  -H "Authorization: Bearer $REYHFORD_API_KEY" \
  -H "Accept: application/taxii+json;version=2.1" | jq '.objects | length'

Troubleshooting

Verify the API key is active and passed as Bearer token. Discovery works without auth; objects require a key.
Indicators must reach ENRICHED or VERIFIED state before appearing in the feed. Check status.reyhford.com.