Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure threat lists

The Splunk App for Enterprise Security includes third-party data sources that provide a list of hosts known to serve undesirable content.

ES31 ThreatL Config.png


Review the threat lists

The Splunk App for Enterprise Security comes with pre-configured threat lists. Some threat lists are enabled by default.

  1. Browse to Configure > Data Enrichment > Threat Lists, and review the Description field in all enabled lists for their intended use-case.
  2. Enable or disable the lists that correspond to the security domain, data sources, and defined use-case for the Enterprise Security installation.
  3. Use the Threat List Settings editor to configure a proxy server for a threat list, to edit an existing threat list, or change threat list update information.
  4. Use the Threat List Audit dashboard to review the status of all threat lists.

Threat list settings

Use Threat Lists to configure the settings for your threat list. Browse to Configure > Data Enrichment > Threat Lists. Select the threat list name link to view the settings.

Threat List Settings
  • Type: The name or type of threat list.
  • Description: Details about the source and function of the specific threat list.
  • URL: A link to the source download.
  • Weight: The threat list weight multiplier to use for Risk Analysis calculations. See an example.
  • Interval; The download interval for a threat list
  • POST Arguments: Optional arguments that can be passed to the URL for threat list downloading.
Parsing Options
  • Delimiting regular expression: A delimiter used to split lines in a threat list.
  • Extracting regular expression: A regular expression used to extract fields from individual lines of a threat list.
  • Fields: A transforms.conf-style expression used to rename or combine fields.
  • Ignoring regular expression: A regular expression used to IGNORE lines in a threat list.
  • Skip header lines: The number of header lines to skip when processing the threat list. Set to "1" for lookup tables.
Download Options
  • Retry interval: Number of seconds to wait between download retry attempts. Review the recommended poll interval of the threat list provider before changing the retry interval.
  • Remote site user: A username to use in remote authentication, if required. The user must correspond to the name of a Splunk secure stored credential in Credential Management
  • Retries: The maximum number of retry attempts.
  • Timeout: Number of seconds to wait before marking a download attempt as failed.
Proxy Options: (Optional)
  • Proxy Server: The proxy server address.
  • Proxy Port: The proxy server port.
  • Proxy User: The proxy server user credential. Supported authentication methods are Basic and Digest. The user must correspond to the name of a Splunk secure stored credential in Credential Management
Important: If you remove an existing username and password in the Threat List Settings editor, the threat list download process will no longer use the proxy credential. The credential will not be deleted, and must be removed from Credential Management.

Edit a threat list

Use the Threat List Settings editor to modify information about an existing threat list.

To edit a threat list:

1. Go to Configure > Data Enrichment > Threat Lists and click the name of the threat list you want to edit.

2. In the Threat List Settings editor, make changes to the fields describing the threat list.

3. Save any changes when you are done.

Add a new threat list

Use the Threat List Settings editor to add a new threat list to your deployment.

To add a new threat list:

1. Go to Configure > Data Enrichment > Threat Lists.

2. Click New to open the Threat List Settings editor.

3. Enter the information about the threat list.

4. Save the changes when you are done.

Add a static threat list

A static threat list is a CSV file with the format of description, ip, description, domain, or description, url.

The description field is a free form textual description. It can be the same for all entries in a threat list or it can be unique for each entry.

Last modified on 22 April, 2015
PREVIOUS
Configure lists and lookups
  NEXT
Configure correlation searches

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters