Splunk® Enterprise Security

REST API Reference

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Threat Intelligence API reference

Access the Threat Intelligence framework in Splunk Enterprise Security.

The Threat Intelligence framework is a mechanism for consuming and managing threat feeds, detecting threats, and alerting. For more information about working with the framework, see Threat Intelligence framework in Splunk ES.

Usage details

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations. You must have the edit_threat_intel_collections capability to use the threat intelligence endpoints.

Splunk Cloud URL for REST API access

Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.

Managed Splunk Cloud deployments

https://<deployment-name>.cloud.splunk.com:8089

Self-service Splunk Cloud deployments
To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.

https://input-<deployment-name>.cloud.splunk.com:8089

See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.

/data/threat_intel/upload

Upload a threat intelligence file in STIX, IOC, or CSV format.

Syntax

https://<host>:<mPort>/data/threat_intel/upload

Usage details
For details of how Splunk Enterprise Security processes threat intelligence files, see Threat Intelligence framework in Splunk ES.

POST

Upload a file.

Request parameters

Field Type Default Description
encoded_content
required
String The threat Intelligence file content encoded in base64 format.
file_name
required
String The threat intelligence file name, with extension.
weight
required
Integer The relative weight assigned to this source of threat intelligence, used for risk score calculations in notable events. Most threat intelligence sources have a weight of 1.
threat_group
required for CSV only
String The threat group to which this threat intelligence belongs. Optional for IOC and STIX files because the parser can extract this value from the file itself. Required for CSV files.
threat_category
required for CSV only
String The threat category to which this threat intelligence belongs. Optional for IOC and STIX files because the parser can extract this value from the file itself. Required for CSV files.
overwrite Boolean false If set to true and a file with this name already exists, the API overwrites the file and reports success. If set to false and a file with this name already exists, the API returns an error.

Data payload
A JSON-encoded string with the arguments.

Response

The endpoint returns a success or failure message, with HTTP status codes.

Example request

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/upload -d '{"file_name":"threat.xml", "encoded_content":"aXAsZGVzY3JpcHRpb24KMTQzLjMuMi4zLHRlc3QK<truncated for brevity>", "weight":"10", "threat_category":"APT", "threat_group":"APT", "overwrite":"true"}'  -H "Content-Type: application/json" -X POST

Example response

{"success":true,"message":"Uploaded successfully."}


/services/data/threat_intel/item/{threat_intel_collection}

Perform CRUD operations on an existing threat intelligence collection.

Syntax

https://<host>:<mPort>/services/data/threat_intel/item/{threat_intel_collection}

Usage details
The collection name must be one of the following:

  • ip_intel
  • file_intel
  • user_intel
  • http_intel
  • email_intel
  • service_intel
  • process_intel
  • registry_intel
  • certificate_intel

Some methods require the _key field. To find the key for a row in a collection, run a search using the inputlookup command and the relevant threat_intel_collection and use eval to display the _key field for each row. For example:

| inputlookup ip_intel | eval item_key=_key

GET

List one or more rows from a collection.

Request parameters

Field Type Default Description
item
required
JSON encoded string The field/value pairs to match.
For example, {'ip':'41.41.41.41'} returns rows that have ip=41.41.41.41 and {'file_name':'threat.trt', 'file_extension':'trt'} returns all the rows that match file_name=threat.trt and file_extension=trt.

Data payload
The item field must contain at least one of the important fields for the threat collection to use as search criteria, in a JSON encoded string.

Collection name Important fields
user_intel user
file_intel file_name, file_hash
ip_intel ip, domain
http_intel http_user_agent, ip, http_referrer, url, domain
email_intel embedded_domain, src_user, subject, file_hash, file_name, embedded_ip
service_intel service_file_hash, service_dll_file_hash, service_dll_file_name, service_file_name, service
process_intel dest, src, process_file_name, process
registry_intel registry_path, registry_value_name, registry_value_text, user
certificate_intel certificate_issuer_common_name, certificate_subject_common_name, certificate_common_name, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer, certificate_subject, certificate_issuer_unit, certificate_subject_unit, certificate_issuer_email, certificate_subject_email, ip, domain

Response

If the request is successful, the endpoint returns all the rows that match the values supplied in the item parameter. If the request fails, the endpoint returns an error message.

Example request

curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/ip_intel  -d item='{"ip":"10.10.1.1 "}'  -G -X  GET

Example response

{"message": [{"_user": "nobody", "time": 1481566235.98246, "threat_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d|stix_file.xml.xml", "ip": "10.10.1.1", "_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d"}], "status": true}


PUT

Update one or more rows in a collection.

Request parameters

Field Type Default Description
item
required
JSON encoded string The field/value pairs to update in one or more rows in a collection, accompanied by the _key for those rows. To update multiple rows with a single call, separate the JSON encoded strings with commas inside a set of brackets.

Data payload
The item field must contain at least one of the important fields for the threat collection being modified, in a JSON encoded string. The item field must also contain the _key value(s) of the rows you want to modify, in a JSON encoded string. You can update a single row or multiple rows.

Collection name Important fields
user_intel user
file_intel file_name, file_hash
ip_intel ip, domain
http_intel http_user_agent, ip, http_referrer, url, domain
email_intel embedded_domain, src_user, subject, file_hash, file_name, embedded_ip
service_intel service_file_hash, service_dll_file_hash, service_dll_file_name, service_file_name, service
process_intel dest, src, process_file_name, process
registry_intel registry_path, registry_value_name, registry_value_text, user
certificate_intel certificate_issuer_common_name, certificate_subject_common_name, certificate_common_name, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer, certificate_subject, certificate_issuer_unit, certificate_subject_unit, certificate_issuer_email, certificate_subject_email, ip, domain


Response

The endpoint returns one of two responses:

{"status": true, "message": "Update operation successful."}

{"status": false, "message": <failure_cause>}


Example request

curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/email_intel -d item='[{"src_user": "user_new1", "subject":"click this new update","_key":"126b0fd6d5c548fbb9a31107a4acddc1"}, {"src_user": "user_new2", "subject":"click this update","_key":"46cdf4a3579244f4a409c69af02d5101"}]' -X PUT

Example response

{"status": true, "message": "Update operation successful."}


POST

Create one or more rows in a collection.

Request parameters

Field Type Default Description
item
required
JSON encoded string The field/value pairs to insert as a new row in a collection. To create multiple rows with a single call, separate the JSON encoded strings with commas inside a set of brackets.
Examples:
{'file_name':'threat.trt', 'file_extension':'trt'} creates one new row that has file_name=threat.trt and file_extension=trt.

{'ip':'41.41.41.41'} creates one new row with ip=41.41.41.41.

[{‘ip’:’41.41.41.41’}, {‘ip’:’10.10.10.10’}] creates two new rows: one with ip=41.41.41.41 and the other with ip=10.10.10.10.

See the Data payload information for a list of important fields. The item must include at least one of the important fields for the relevant collection name, or the API returns an error.

Data payload
The item field must contain at least one of the important fields for the threat collection being modified, in a JSON encoded string.

Collection name Important fields
user_intel user
file_intel file_name, file_hash
ip_intel ip, domain
http_intel http_user_agent, ip, http_referrer, url, domain
email_intel embedded_domain, src_user, subject, file_hash, file_name, embedded_ip
service_intel service_file_hash, service_dll_file_hash, service_dll_file_name, service_file_name, service
process_intel dest, src, process_file_name, process
registry_intel registry_path, registry_value_name, registry_value_text, user
certificate_intel certificate_issuer_common_name, certificate_subject_common_name, certificate_common_name, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer, certificate_subject, certificate_issuer_unit, certificate_subject_unit, certificate_issuer_email, certificate_subject_email, ip, domain

Response

The endpoint returns one of two responses:

{"status": true, "message": "Create operation successful."}

{"status": false, "message": <failure_cause>}


Example request

Create a single row.

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/email_intel -d item='{"src_user": "user_new", "subject":"click this"}'

Create two rows.

curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/email_intel -d item='[{"src_user": "user_new", "subject":"click this"},{"src_user": "user2_new", "subject":"click this"}]'

Example response

{"status": true, "message": "Create operation successful."}


DELETE

Delete one or more rows from a collection.

Request parameters

Field Type Default Description
item
required
JSON encoded string The _key values of the rows to delete from a threat collection.

Data payload
The item field must contain _key values of the rows you intend to delete in a threat collection, in a JSON encoded string. You can delete a single row or multiple rows.

Response

The endpoint returns one of two responses:

{"message": "Delete operation successful.", "status": true}

{"status": false, "message": <failure_cause>}


Example request

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/email_intel -d item='[{"_key":"2e58177235804a739d4d768c26077b24"},{"_key":"2e58177235804a739d4d768c26077bd4"}]' -G -X DELETE

Example response

{"message": "Delete operation successful.", "status": true}


/services/data/threat_intel/item/{threat_intel_collection}/{item_key}

Perform read, update, and delete operations on a row of an existing threat intelligence collection.

Syntax

https://<host>:<mPort>/services/data/threat_intel/item/{threat_intel_collection}/{item_key}

Usage details

The threat_intel_collection must be one of the following:

  • ip_intel
  • file_intel
  • user_intel
  • http_intel
  • email_intel
  • service_intel
  • process_intel
  • registry_intel
  • certificate_intel

The item_key must be a valid key. To find the key for a row in a collection, run a search using the inputlookup command and the relevant threat_intel_collection and use eval to display the _key field for each row. For example:

| inputlookup ip_intel | eval item_key=_key


GET

Access a row from a collection.

Request parameters
None

Data payload
None

Response

The endpoint returns one of two responses:

{"message":<The row of the collection you requested, as a JSON object>, "status": true}

{"message": "No matching entries found in kvstore.", "status": false}


Example request

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel/fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d

Example response

{"message": [{"_user": "nobody", "time": 1481566235.98246, "threat_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d|stix_file.xml.xml", "ip": "58.64.179.144", "_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d"}], "status": true}

PUT

Update a row in a collection.

Request parameters

Field Type Default Description
item
required
JSON encoded string The field/value pairs in the row to be updated. For example, {'ip':'41.41.41.41'} updates the ip to 41.41.41.41. See the Data payload information for a list of important fields. The item must include at least one of the important fields for the relevant collection name, or the API returns an error.

Data payload
The item field must contain at least one of the important fields for the threat collection being modified.

Collection name Important fields
user_intel user
file_intel file_name, file_hash
ip_intel ip, domain
http_intel http_user_agent, ip, http_referrer, url, domain
email_intel embedded_domain, src_user, subject, file_hash, file_name, embedded_ip
service_intel service_file_hash, service_dll_file_hash, service_dll_file_name, service_file_name, service
process_intel dest, src, process_file_name, process
registry_intel registry_path, registry_value_name, registry_value_text, user
certificate_intel certificate_issuer_common_name, certificate_subject_common_name, certificate_common_name, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer, certificate_subject, certificate_issuer_unit, certificate_subject_unit, certificate_issuer_email, certificate_subject_email, ip, domain

Response

The endpoint returns one of two responses:

{"status": true, "message": "Update operation successful."}

{"status": false, "message": <failure_cause>}


Example request

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/email_intel/e83fa2c5036d4c85bd5669a48ca134c5 -d item='{"src_user": "user_new1", "subject":"click this"}' -X PUT

Example response

{"status": true, "message": "Update operation successful."}


DELETE

Delete a row from a collection.

Usage details
The delete operation does not delete the row from the KV Store. Instead, the entry is disabled from participating in threat intelligence matching.

Request parameters
None

Data payload
None

Response

The endpoint returns one of two responses:

{"message": "Delete operation successful.", "status": true}

{"message": <failure_reason>, "status": false}

Example request

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/email_intel/af8e379623f643a3be149c014b977e6b -X DELETE

Example response

{"message": "Delete operation successful.", "status": true}


Last modified on 09 August, 2017
PREVIOUS
The Splunk Enterprise Security API
  NEXT
Notable Event API reference

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters