Splunk® Enterprise Security

Use Splunk Enterprise Security

Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure threat intelligence sources

Correlate indicators of suspicious activity, known threats, or potential threats with your events by adding threat intelligence to Splunk Enterprise Security. Use threat intelligence to enhance your security monitoring capabilities and add context to your investigations.

Splunk Enterprise Security includes a selection of threat intelligence sources, and supports multiple types of threat intelligence so that you can add your own threat intelligence. See Threat intelligence sources included with Splunk Enterprise Security.

Supported types of threat intelligence

Splunk Enterprise Security supports several types of threat intelligence. The supported types of threat intelligence correspond to the KV Store collections in which the threat intelligence is stored.

Threat collection in KV Store Supported IOC data types Local lookup file
certificate_intel X509 Certificates Local Certificate Intel
email_intel Email Local Email Intel
file_intel File names or hashes Local File Intel
http_intel URLs Local HTTP Intel
ip_intel IP addresses or domains Local IP Intel and Local Domain Intel
process_intel Processes Local Process Intel
registry_intel Registry entries Local Registry Intel
service_intel Services Local Service Intel
user_intel Users Local User Intel

The collections.conf file in the DA-ESS-ThreatIntelligence subdirectory lists these KV Store collections.

Adding threat intelligence to Splunk Enterprise Security

Splunk administrators can add threat intelligence to Splunk Enterprise Security by downloading a feed from the Internet, uploading a structured file, or directly from events in Splunk Enterprise Security.

Download a threat intelligence feed from the Internet

Splunk Enterprise Security can periodically download a threat intelligence feed available from the Internet, parse it, and add it to the relevant KV Store collections.

Add a URL-based threat source

Add a non-TAXII source of threat intelligence that is available from a URL on the Internet.

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Click New to add a new threat intelligence source.
  3. Type a Name for the threat download. The name can only contain alphanumeric characters, hyphens, and underscores. The name cannot contain spaces.
  4. Type a Type for the threat download. The type identifies the type of threat indicator that the feed contains.
  5. Type a Description. Describe the indicators in the threat feed.
  6. Type an integer to use as the Weight for the threat indicators. Enterprise Security uses the weight of a threat feed to calculate the risk score of an asset or identity associated with an indicator on the threat feed. A higher weight indicates an increased relevance or an increased risk to your environment.
  7. (Optional) Change the default download Interval for the threat feed. Defaults to 43200 seconds, or every 12 hours.
  8. (Optional) Type POST arguments for the threat feed.
  9. (Optional) Type a Maximum age to define the retention period for this threat source, defined in relative time. Enable the corresponding saved searches for this setting to take effect. See Configure threat source retention.
    For example, -7d. If the time that the feed was last updated is greater than the maximum age defined with this setting, the threat intelligence modular input removes the data from the threat collection.
  10. Fill out the Parsing Options fields to make sure that your threat list parses successfully. You must fill out either a delimiting regular expression or an extracting regular expression. You cannot leave both fields blank.
    Field Description Example
    Delimiting regular expression A delimiter used to split lines in a threat source. Delimiters must be a single character. For more complex delimiters, use an extracting regular expression. , or : or \t
    Extracting regular expression A regular expression used to extract fields from individual lines of a threat source document. Use to extract values in the threat source. ^(\S+)\t+(\S+)\t+\S+\t+\S+\t*(\S*)
    Fields Required if your document is line-delimited. Comma-separated list of fields to be extracted from the threat list. Can also be used to rename or combine fields. Description is a required field. Additional acceptable fields are the fields in the corresponding KV Store collection for the threat intelligence, visible in the local lookup files or the DA-ESS-ThreatIntelligence/collections.conf file. Defaults to description:$1,ip:$2. <fieldname>:$<number>,<field name>.$<number>
    ip:$1,description:domain_blocklist
    Ignoring regular expression A regular expression used to ignore lines in a threat source. Defaults to ignoring blank lines and comments. ^\s*$)
    Skip header lines The number of header lines to skip when processing the threat source. 0
  11. (Optional) Change the Download Options fields to make sure that your threat list downloads successfully.
    Field Description Example
    Retry interval Number of seconds to wait between download retry attempts. Review the recommended poll interval of the threat source provider before changing the retry interval. 60
    Remote site user If the threat feed requires authentication, type the user name to use in remote authentication, if required. The user name you add in this field must match the name of a credential in Credential Management. admin
    Retries The maximum number of retry attempts. 3
    Timeout Number of seconds to wait before marking a download attempt as failed. 30
  12. (Optional) If you are using a proxy server, fill out the Proxy Options for the threat feed. See Configure a proxy for retrieving threat intelligence.
  13. Save your changes.

See Verify that you added threat intelligence successfully.

Add a ransomware threat feed to Splunk Enterprise Security

This example describes how to add a list of blocked domains that could host ransomware to Splunk Enterprise Security to better prepare your organization for a ransomware attack. The feed used in this example is from abuse.ch

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Click New to add a new threat intelligence source.
  3. Type a Name of ransomware_tracker to describe the threat download source.
  4. Type a Type of domain to identify the type of threat intelligence contained in the threat source.
  5. Type a Description of Blocked domains that could host ransomware.
  6. Type a URL of https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt.
  7. (Optional) Change the default Weight of 1 to 2 because ransomware is a severe threat and you want an extra risk score multiplier for assets or identities associated with blocked ransomware domains.
  8. Leave the default Interval of 43200 seconds, or every 12 hours.
  9. Leave the POST arguments field blank because this type of feed does not accept POST arguments.
  10. Decide whether to define a Maximum age for the threat intelligence. According to the ransomware tracker website, items on the blocklist stay on the blocklist for 30 days. To drop items off the blocklist in Enterprise Security sooner than that, set a maximum age of less than 30 days. Type a maximum age of -7d.
  11. Type a default Delimiting regular expression of : so that you can enrich the threat indicators by adding fields.
  12. Leave the Extracting regular expression field blank because the domain names do not need to be extracted because they are line-delimited.
  13. Type Fields of domain:$1,description:ransomware_domain_blocklist to define the fields in this blocklist.
  14. (Optional) Leave the default Ignoring regular expressions field.
  15. Change the Skip header lines field to 0 because the ignoring regular expression ignores the comments at the top of the feed.
  16. Leave the Retry interval at the default of 60 seconds.
  17. (Optional) Leave the Remote site user field blank because this feed does not require any form of authentication.
  18. Leave the Retries field at the default of 3.
  19. Leave the Timeout field at the default of 30 seconds.
  20. Ignore the Proxy Options section unless you are using a proxy server to add threat intelligence to Splunk Enterprise Security.
  21. Click Save.
  22. From the Splunk platform menu bar, select Apps > Enterprise Security to return to Splunk Enterprise Security.
  23. From the Enterprise Security menu bar, select Audit > Threat Intelligence Audit.
  24. Fiind the ransomware_tracker stanza in the Threat Intelligence Downloads panel and verify that the status is threat list downloaded.
  25. From the Enterprise Security menu bar, select Security Intelligence > Threat Intelligence > Threat Artifacts.
  26. Type an Intel Source ID of ransomware_tracker to search for domains added to Splunk Enterprise Security from the new threat feed.
  27. Click Submit to search.
  28. Click the Network tab and review the Domain Intelligence panel to verify that threat intelligence from the ransomware_tracker threat source appears.

Add a TAXII feed

Add threat intelligence provided as a TAXII feed to Splunk Enterprise Security.

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Click New to add a new TAXII feed.
  3. Type a Name for the threat intelligence feed.
  4. Type a Type of taxii.
  5. Type a Description for the threat intelligence feed.
  6. Type a URL to use to download the TAXII feed.
  7. (Optional) Change the default Weight for the threat intelligence feed. Increase the weight if the threats on the threat feed are high-confidence and malicious threats that should increase the risk score for assets and identities that interact with the indicators from the threat source.
  8. (Optional) Adjust the interval at which to download the threat intelligence. Defaults to 43200 seconds, or twice a day.
  9. Type TAXII-specific space-delimited POST arguments for the threat intelligence feed.
    <POST argument>="<POST argument value>"
    Example POST argument Description Example value
    collection Name of the data collection from a TAXII feed. collection="A_TAXII_Feed_Name"
    earliest The earliest threat data to pull from the TAXII feed. earliest="-1y"
    taxii_username An optional method to provide a TAXII feed username. taxii_username="user"
    taxii_password An optional method to provide a TAXII feed password. If you provide a username without providing a password, the threat intelligence modular input attempts to find the password in Credential Management. taxii_password="password"
    cert_file Add the certificate file name if the TAXII feed uses certificate authentication. The file name must match exactly and is case sensitive. cert_file="cert.crt"
    key_file Add the key file name for the certificate if the TAXII feed uses certificate authentication. The file name must match exactly and is case sensitive. key_file="cert.key"
  10. TAXII feeds do not use the Maximum age setting.
  11. TAXII feeds do not use the Parsing Options settings.
  12. (Optional) Change the Download Options.
  13. (Optional) Change the Proxy Options. See Configure a proxy for retrieving threat intelligence.
  14. Save the changes.

You cannot use an authenticated proxy with a TAXII feed because the libtaxii library used by Enterprise Security does not support authenticated proxies. If possible, use an unauthenticated proxy instead.

Add a TAXII feed with certificate authentication

You need file system access to add the certificates needed for certificate authentication. In a Splunk Cloud deployment, work with Splunk Support to add or change files on cloud-based nodes. Add the certificate and keys to the same app directory in which you define the TAXII feed. For example, DA-ESS-ThreatIntelligence.

  1. Add the certificate to the $SPLUNK_HOME/etc/apps/<app_name>/auth directory.
  2. Add the private key for the certificate to the same /auth directory.
  3. Follow the steps for adding a TAXII feed to Splunk Enterprise Security, using the cert_file and key_file POST arguments to specify the file names of the certificate and private key file.

Configure a proxy for retrieving threat intelligence

If you use a proxy server to send threat intelligence to Splunk Enterprise Security, configure the proxy options for the threat source.

The user must correspond to the name of a Splunk secure stored credential in Credential Management. If you remove an existing proxy user and password in the Threat Intelligence Download Setting editor, the download process will no longer reference the stored credentials. Removing the referenced to credential does not delete the stored credentials from Credential Management.

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Select the threat download source or add a new threat download source. See Add a URL-based threat source or Add a TAXII feed.
  3. Configure the proxy options.
    1. Type a proxy server address. The Proxy Server cannot be a URL. For example, 10.10.10.10 or server.example.com.
    2. Type a proxy server port to use to access the proxy server address.
    3. Type a proxy user credential for the proxy server. Only basic and digest authentication methods are supported.
  4. Save your changes.

Upload a STIX or OpenIOC structured threat intelligence file

Add threat intelligence in the form of a structured file to Splunk Enterprise Security. OpenIOC, STIX, and CSV file types are supported by Splunk Enterprise Security.

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Uploads.
  2. Type a file name for the file you want to upload. The file name you type becomes the name of the file saved to $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel. The file name cannot include spaces or special characters.
  3. Upload an OpenIOC or STIX-formatted file.
  4. Type a Weight for the threat intelligence file. The weight of a threat intelligence file increases the risk score of objects associated with threat intelligence on this list.
  5. (Optional) Type a Threat Category. If you leave this field blank and a category is specified in the OpenIOC or STIX file, Splunk Enterprise Security uses the threat category specified in the file.
  6. (Optional) Type a Threat Group. If you leave this field blank and a group is specified in the OpenIOC or STIX file, Splunk Enterprise Security uses the threat group specified in the file.
  7. (Optional) Select the Overwrite check box. If you have previously uploaded a file with the same file name, select this check box to overwrite the previous version of the file.
  8. Click Save.
  9. Verify that your threat intelligence was successfully added. See Verify that you added threat intelligence successfully.

Upload a custom CSV file of threat intelligence

You can add a custom file of threat intelligence to Splunk Enterprise Security. If you add threat indicators in a CSV file, they must all be the same type. For example, the file can only include one type of intelligence. If you want to mix types of indicators in one file, create an OpenIOC or STIX file instead using an editor available on the web and follow the instructions to Upload a STIX or OpenIOC structured threat intelligence file.

Identify whether your custom file contains certificate, domain, email, file, HTTP, IP, process, registry, service, or user threat intelligence and make sure that the custom CSV file is properly formatted.

  1. Select Configure > Data Enrichment > Lists and Lookups.
  2. Find the lookup file that matches the local threat intel you are providing. For example, Local File Intel.
  3. Open the relevant lookup to view the required headers.
  4. Create a new .csv file with a header row containing the required fields.
  5. Add the threat data to the .csv file.

Add the custom file to Splunk Enterprise Security.

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Uploads.
  2. Type a file name for the file you want to upload. The file name you type becomes the name of the file saved to $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel. The file name cannot include spaces or special characters.
  3. Upload the CSV-formatted file.
  4. Type a Weight for the threat list. The weight of a threat file increases the risk score of objects associated with threat intelligence on this list.
  5. (Optional) Type a Threat Category.
  6. (Optional) Type a Threat Group.
  7. (Optional) Select the Overwrite check box. If you have previously uploaded a file with the same file name, select this check box to overwrite the previous version of the file.
  8. Click Save.
  9. Verify that your threat intelligence was successfully added. See Verify that you added threat intelligence successfully.

Add threat intelligence from events

You can add threat intelligence from events to the local threat intelligence lookups.

  1. Write a search that produces threat indicators.
  2. Add | outputlookup local_<threat intelligence type>_intel append=t to the end of the search.

For example, write a search that produces a list of IP addresses that are testing a web server for vulnerabilities and add them to the local_ip_intel lookup to be processed by the modular input and added to the ip_intel KV Store collection.

Add and maintain threat intelligence locally in Splunk Enterprise Security

Each threat collection has a local lookup file that you can use to manually add threat intelligence.

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Lists and Lookups.
  2. Find the local lookup that matches the type of threat indicator you want to add. For example, Local Certificate intel to add information about malicious or spoofed certificates.
  3. Click the lookup name to edit the lookup.
  4. Add indicators to the lookup. Right-click and select Insert Row Below to add new rows as needed.
  5. (Optional) Type a numeric Weight to change the risk score for objects associated with indicators on this threat intelligence source.
  6. Click Save.

Add threat intelligence with a custom lookup file

Add threat intelligence to Splunk Enterprise Security as a custom lookup file. A lookup-based threat source can add data to any of the supported threat intelligence groups, such as file or IP intelligence.

Prerequisite

Identify whether the custom threat source is certificate, domain, email, file, HTTP, IP, process, registry, service, or user intelligence.

Steps

Based on the type of intelligence you add to Splunk Enterprise Security, you must identify the headers for the csv file.

  1. Select Configure > Data Enrichment > Lists and Lookups.
  2. Find the lookup file that matches the local threat intel you are providing. For example, Local File Intel.
  3. Open the relevant lookup to view the required headers.
  4. Create a .csv file with a header row with the required fields.
  5. Add the threat data to the .csv file.

After you create the lookup file, you must add it to Splunk Enterprise Security.

  1. On the Splunk platform menu bar, select Settings > Lookups
  2. Next to Lookup table files, click Add New.
  3. Select a Destination App of SA-ThreatIntelligence.
  4. Upload the .csv file you created.
  5. Type a Destination filename for the file. For example, threatindicatorszerodayattack.csv.
  6. Save.

After adding the threat intel lookup to Enterprise Security, set appropriate permissions so Enterprise Security can use the file.

  1. Open Lookup table files.
  2. Find the lookup file that you added and select Permissions.
  3. Select All apps for the Object should appear in field.
  4. Select Read access for Everyone.
  5. Select Write access for admin.
  6. Save.

Define the lookup so that Splunk ES can import it and understand what type of intelligence you are adding.

  1. On the Splunk platform menu bar, select Settings > Lookups.
  2. Next to Lookup definitions, click Add New.
  3. Select a Destination App of SA-ThreatIntelligence.
  4. Enter a name for the threat source. The name you enter here is used to define the threatlist in the input stanza. For example, zero_day_attack_threat_indicators_list.
  5. Select a Type: of File based.
  6. Select the Lookup File: that you added in step one. For example, threatindicatorszerodayattack.csv.
  7. Save.

Set permissions on the lookup definition so that the lookup functions properly.

  1. Open Lookup definitions
  2. Find the definition you added in step four and select Permissions.
  3. Set Object should appear in to All apps.
  4. Set Read access for Everyone.
  5. Set Write access for admin.
  6. Save.

Add a threat source input stanza that corresponds to the lookup file so that ES knows where to find the new threat intelligence.

  1. Select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Choose a threat source input that matches your new content. For example, local_file_intel.
  3. Click Clone in the Actions column.
  4. Type a Name. The name cannot include spaces. For example, zero_day_attack_threat_indicators.
  5. Type a Type. For example, zero_day_IOCs
  6. Type a Description. For example, File-based threat indicators from zero day malware.
  7. Type a URL that references the lookup definition you created in step three. lookup://zero_day_attack_threat_indicators_list.
  8. (Optional) Change the default Weight for the threat data.
  9. (Optional) Change the default Retry interval for the lookup.

Add OpenIOC or STIX files using the file system

You can also add threat intelligence to Splunk Enterprise Security by adding a properly-formatted file to a file system folder.

  1. Add a STIX-formatted file with a .xml file extension or an OpenIOC file with a .ioc file extension to the $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel folder on your Splunk Enterprise Security search head or make it available to that file directory on a mounted local network share. In a search head cluster, add it to this location on the deployer and deploy it to the search head cluster members.
  2. By default, the da_ess_threat_local modular input processes those files and places the threat intelligence found in the relevant KV Store collections.
  3. By default, after processing the intelligence in the files, the modular input deletes the files because the sinkhole setting is enabled by default.

Change the da_ess_threat_local inputs settings

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
  2. Click the da_ess_threat_local modular input.
  3. Review or change the settings as required.

Do not change the default da_ess_threat_default or sa_threat_local inputs.

Configure a custom folder and input monitor for threat sources

You can also add threat intelligence to Splunk Enterprise Security by adding a properly-formatted file to a custom file directory. The file directory must match the pattern $SPLUNK_HOME/etc/apps/<app_name>/local/threat_intel, and you must create an input monitor to monitor that file directory for threat intelligence. In a search head cluster, add it to this location on the deployer and deploy it to the search head cluster members.

Create an input monitor for threat sources to add threat intelligence to a different folder than the one monitored by the da_ess_threat_local modular input.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
  2. Click New
  3. Type a descriptive name for the modular input. The name cannot include spaces.
  4. Type a path to the file repository. The file repository must be $SPLUNK_HOME/etc/apps/<app_name>/local/threat_intel
  5. (Optional) Type a maximum file size in bytes.
  6. (Optional) Select the Sinkhole check box. If selected, the modular input deletes each file in the directory after processing the file.
  7. (Optional) Select the Remove Unusable check box. If selected, the modular input deletes a file after processing it if it has no actionable threat intelligence.
  8. (Optional) Type a number to use as the default weight for all threat intelligence documents consumed from this directory.

Verify that you added threat intelligence successfully

After you add new threat intelligence sources or configure included threat intelligence sources, verify that the threat intelligence is being parsed successfully and that threat indicators are being added to the threat intelligence KV Store collections. The modular input responsible for parsing threat intelligence runs every 60 seconds.

Verify that the threat feed is being downloaded

  1. From the Enterprise Security menu bar, select Audit > Threat Intelligence Audit
  2. Find the threat source.
  3. Confirm that the download_status column states threat list downloaded.
  4. Review the Threat Intelligence Audit Events to see if there are errors associated with the threat lookup name.

Verify that threat indicators exist in the threat collections

  1. Select Security Intelligence > Threat Intelligence > Threat Artifacts.
  2. Search for the threat source name in the Intel Source ID field.
  3. Confirm that threat indicators exist for the threat source.

Troubleshoot parsing errors

Review the following log files on the Threat Intelligence Audit dashboard to troubleshoot parsing errors that can occur when parsing threat intelligence sources in order to add them to Enterprise Security.

  • Review the Threat Intelligence Audit Events panel for issues related to downloading threat content in the threatlist.log file or the threatintel:download sourcetype.
  • Review the Threat Intelligence Audit Events panel for issues related to parsing or processing in the threat_intelligence_manager.log file or the threatintel:manager sourcetype.

For errors that result from uploading a file, review the threat_intel_file_upload_rest_handler.log file.


For additional parsing errors, make sure that the modular inputs are running as expected.

  • python_modular_input.log for errors associated with modular input failures.

How Splunk Enterprise Security processes threat intelligence data

See Threat Intelligence Framework on the Splunk > dev portal.

Threat intelligence sources included with Splunk Enterprise Security

Splunk Enterprise Security includes some threat intelligence sources to help you correlate indicators of suspicious activity and known or potential threats with your events.

Configure threat intelligence sources included with Splunk Enterprise Security

Each threat source website provides suggestions for polling intervals and other configuration requirements separate from Splunk Enterprise Security. When configuring the included threat intelligence sources, use the links to the threat source websites to review the threat source provider's documentation. Some threat intelligence sources are enabled by default.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Review the Description field for all defined threat intelligence sources to learn more about the types of indicators that can be correlated with your events.
  3. Enable or disable the threat intelligence sources that fit your security use cases.
  4. Configure the enabled threat intelligence sources that fit your security use cases.

After you enable threat intelligence sources, Verify that you added threat intelligence successfully.

Threat sources included with Enterprise Security

Splunk Enterprise Security includes several threat intelligence feeds that retrieve information across the Internet. If your deployment is not connected to the Internet, disable these threat sources or source them in an alternate way. Splunk Enterprise Security expects all threat intelligence feeds to send properly-formatted data and valuable threat intelligence information. Feed providers are responsible for malformed data or false positives that could be identified in your environment as a result.

To set up firewall rules for these threat feeds, you might want to use a proxy server to collect the threat intelligence before forwarding it to Splunk Enterprise Security and allow the IP address for the proxy server to access Splunk Enterprise Security. The IP addresses for these threat sources can change.

If you determine that your Splunk Enterprise Security installation is retrieving data from unexpected IP addresses, do a WHOIS or nslookup to determine if the IP address matches that of one of the threat sources configured in your environment.

Threat source Threat list provider Website for the threat source
Emerging Threats compromised IPs blocklist Emerging Threats http://rules.emergingthreats.net/blockrules
Emerging Threats firewall IP rules Emerging Threats http://rules.emergingthreats.net/fwrules
Malware domain host list Hail a TAXII.com http://hailataxii.com
iblocklist Logmein I-Blocklist https://www.iblocklist.com/lists
iblocklist Piratebay I-Blocklist https://www.iblocklist.com/lists
iblocklist Proxy I-Blocklist https://www.iblocklist.com/lists
iblocklist Rapidshare I-Blocklist https://www.iblocklist.com/lists
iblocklist Spyware I-Blocklist https://www.iblocklist.com/lists
iblocklist Tor I-Blocklist https://www.iblocklist.com/lists
iblocklist Web attacker I-Blocklist https://www.iblocklist.com/lists
Malware Domain Blocklist Malware Domains http://mirror1.malwaredomains.com
abuse.ch Palevo C&C IP Blocklist abuse.ch https://palevotracker.abuse.ch
Phishtank Database Phishtank http://www.phishtank.com/
SANS blocklist SANS http://isc.sans.edu
abuse.ch ZeuS blocklist (bad IPs only) abuse.ch https://zeustracker.abuse.ch
abuse.ch ZeuS blocklist (standard) abuse.ch https://zeustracker.abuse.ch


Some lists included in Splunk Enterprise Security are not added to the threat intelligence collections and are instead used to enrich data in Enterprise Security.

Data list Data provider Website for data provider
Alexa Top 1 Million Sites Alexa Internet http://www.alexa.com/topsites
Mozilla Public Suffix List Mozilla https://publicsuffix.org
ICANN Top-level Domains List IANA http://www.iana.org/domains/root/db

Change existing threat intelligence

After you add threat intelligence to Splunk Enterprise Security, you can make changes to the settings to make sure the threat intelligence you correlate with events is useful.

Enable or disable a threat intelligence source

Enable or disable a threat intelligence source to prevent your events from matching data in the collections of threat intelligence.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Find the threat intelligence source.
  3. Under Status, click Enable or Disable.

Disable individual threat artifacts

To prevent individual threat artifacts on a threat list from creating notable events if they match events in your environment, disable individual threat artifacts. If you have command line access to the Enterprise Security search head, you can disable individual threat artifacts using the REST API. See Threat Intelligence API reference in Splunk Enterprise Security REST API Reference.

Edit a threat source

Change information about an existing threat source, such as the retention period or the download interval for a threat source.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Click the name of the threat source you want to edit.
  3. Make changes to the fields as needed.
  4. Save your changes.

By default, only administrators can edit threat sources. To allow non-admin users to edit threat sources, see Adding capabilities to a role in the Installation and Upgrade Manual.

Configure threat source retention

Remove threat intelligence from the KV Store collections in Splunk Enterprise Security based on the date that the intelligence was added to Enterprise Security.

  1. If the threat intelligence source is not a TAXII feed, define the maximum age of the threat intelligence. This field is not used for TAXII feeds.
    1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
    2. Select a threat source.
    3. Change the Maximum age setting using a relative time specifier. For example, -7d or -30d.
  2. Enable the retention search for the collection.
    1. From the Splunk platform menu bar, select Settings and click Searches, reports, and alerts.
    2. Search for "retention" using the search filter.
    3. Enable the retention search for the collection that hosts the threat source. All retention searches are disabled by default.
Last modified on 13 April, 2017
Threat Intelligence dashboards   Web Intelligence dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters