I used taxiing.exampleDataFeed as my prototype in MM. The stdlib.taxiiDataFeed may work too, I didn't try it. Then, in Splunk ES, I was able to set up a threat intelligence feed with the following:
POST arguments: collection="<NAME_OF_MM_OUTPUT_NODE>"
At least in my experience, URL can be an IP address, even if you use HTTPS in the URL. This is handy if you want to share over the internet but don't want to publish a DNS record for "mythreatintelplatform.abc.xyz".
... View more