Download a threat intelligence feed from the Internet in Splunk Enterprise Security
Splunk Enterprise Security can periodically download a threat intelligence feed available from the Internet, parse it, and add it to the relevant KV Store collections.
- (Optional) Configure a proxy for retrieving threat intelligence.
- Follow the procedure that matches the format of the threat source:
Configure a proxy for retrieving threat intelligence
If you use a proxy server to send threat intelligence to Splunk Enterprise Security, configure the proxy options for the threat source.
The user must correspond to the name of a Splunk secure stored credential in Credential Management. If you remove an existing proxy user and password in the Threat Intelligence Download Setting editor, the download process no longer references the stored credentials. Removing the reference to the credential does not delete the stored credentials from Credential Management. For more information, see Manage input credentials in Splunk Enterprise Security.
You cannot use an authenticated proxy with a TAXII feed because the libtaxii library used by Enterprise Security does not support authenticated proxies. If possible, use an unauthenticated proxy instead.
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
- Select the threat download source or add a new threat download source. See Add a URL-based threat source or Add a TAXII feed.
- Configure the proxy options.
- Type a proxy server address. The Proxy Server cannot be a URL. For example,
10.10.10.10
orserver.example.com
. - Type a proxy server port to use to access the proxy server address.
- Type a proxy user credential for the proxy server. Only basic and digest authentication methods are supported.
- Type a proxy server address. The Proxy Server cannot be a URL. For example,
- Save your changes.
Add a URL-based threat source
Add a non-TAXII source of threat intelligence that is available from a URL on the Internet.
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
- Click New to add a new threat intelligence source.
- Type a Name for the threat download. The name can only contain alphanumeric characters, hyphens, and underscores. The name cannot contain spaces.
- Type a Type for the threat download. The type identifies the type of threat indicator that the feed contains.
- Type a Description. Describe the indicators in the threat feed.
- Type an integer to use as the Weight for the threat indicators. Enterprise Security uses the weight of a threat feed to calculate the risk score of an asset or identity associated with an indicator on the threat feed. A higher weight indicates an increased relevance or an increased risk to your environment.
- (Optional) Change the default download Interval for the threat feed. Defaults to 43200 seconds, or every 12 hours.
- (Optional) Type POST arguments for the threat feed.
- (Optional) Type a Maximum age to define the retention period for this threat source, defined in relative time. Enable the corresponding saved searches for this setting to take effect. See Configure threat source retention.
For example,-7d
. If the time that the feed was last updated is greater than the maximum age defined with this setting, the threat intelligence modular input removes the data from the threat collection. - (Optional) If you need to specify a custom User agent string to bypass network security controls in your environment, type it in the format
<user-agent>/<version>
. For example,Mozilla/5.0
orAppleWebKit/602.3.12
. The value in this field must match this regex:([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+)
. Check with your security device administrator to ensure the string you type here is accepted by your network security controls. - Fill out the Parsing Options fields to make sure that your threat list parses successfully. You must fill out either a delimiting regular expression or an extracting regular expression. You cannot leave both fields blank.
Field Description Example Delimiting regular expression A delimiter used to split lines in a threat source. Delimiters must be a single character. For more complex delimiters, use an extracting regular expression. ,
or:
or\t
Extracting regular expression A regular expression used to extract fields from individual lines of a threat source document. Use to extract values in the threat source. ^(\S+)\t+(\S+)\t+\S+\t+\S+\t*(\S*)
Fields Required if your document is line-delimited. Comma-separated list of fields to be extracted from the threat list. Can also be used to rename or combine fields. Description is a required field. Additional acceptable fields are the fields in the corresponding KV Store collection for the threat intelligence, visible in the local lookup files or the DA-ESS-ThreatIntelligence/collections.conf
file. Defaults todescription:$1,ip:$2
.<fieldname>:$<number>,<field name>.$<number>
ip:$1,description:domain_blocklist
Ignoring regular expression A regular expression used to ignore lines in a threat source. Defaults to ignoring blank lines and comments. ^\s*$)
Skip header lines The number of header lines to skip when processing the threat source. 0
- (Optional) Change the Download Options fields to make sure that your threat list downloads successfully.
Field Description Example Retry interval Number of seconds to wait between download retry attempts. Review the recommended poll interval of the threat source provider before changing the retry interval. 60 Remote site user If the threat feed requires authentication, type the user name to use in remote authentication, if required. The user name you add in this field must match the name of a credential in Credential Management. See Manage input credentials in Splunk Enterprise Security. admin Retries The maximum number of retry attempts. 3 Timeout Number of seconds to wait before marking a download attempt as failed. 30 - (Optional) If you are using a proxy server, fill out the Proxy Options for the threat feed. See Configure a proxy for retrieving threat intelligence.
- Save your changes.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Example: Add a ransomware threat feed to Splunk Enterprise Security
This example describes how to add a list of blocked domains that could host ransomware to Splunk Enterprise Security to better prepare your organization for a ransomware attack. The feed used in this example is from abuse.ch
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
- Click New to add a new threat intelligence source.
- Type a Name of ransomware_tracker to describe the threat download source.
- Type a Type of domain to identify the type of threat intelligence contained in the threat source.
- Type a Description of Blocked domains that could host ransomware.
- Type a URL of
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
. - (Optional) Change the default Weight of 1 to 2 because ransomware is a severe threat and you want an extra risk score multiplier for assets or identities associated with blocked ransomware domains.
- Leave the default Interval of 43200 seconds, or every 12 hours.
- Leave the POST arguments field blank because this type of feed does not accept POST arguments.
- Decide whether to define a Maximum age for the threat intelligence. According to the ransomware tracker website, items on the blocklist stay on the blocklist for 30 days. To drop items off the blocklist in Enterprise Security sooner than that, set a maximum age of less than 30 days. Type a maximum age of
-7d
. - Determine whether you need to specify a User agent string due to security controls in your environment. If not, leave this field blank.
- Type a default Delimiting regular expression of
:
so that you can enrich the threat indicators by adding fields. - Leave the Extracting regular expression field blank because the domain names do not need to be extracted because they are line-delimited.
- Type Fields of
domain:$1,description:ransomware_domain_blocklist
to define the fields in this blocklist. - (Optional) Leave the default Ignoring regular expressions field.
- Change the Skip header lines field to 0 because the ignoring regular expression ignores the comments at the top of the feed.
- Leave the Retry interval at the default of 60 seconds.
- (Optional) Leave the Remote site user field blank because this feed does not require any form of authentication.
- Leave the Retries field at the default of 3.
- Leave the Timeout field at the default of 30 seconds.
- Ignore the Proxy Options section unless you are using a proxy server to add threat intelligence to Splunk Enterprise Security.
- Click Save.
- From the Splunk platform menu bar, select Apps > Enterprise Security to return to Splunk Enterprise Security.
- From the Enterprise Security menu bar, select Audit > Threat Intelligence Audit.
- Fiind the ransomware_tracker stanza in the Threat Intelligence Downloads panel and verify that the status is threat list downloaded.
- From the Enterprise Security menu bar, select Security Intelligence > Threat Intelligence > Threat Artifacts.
- Type an Intel Source ID of ransomware_tracker to search for domains added to Splunk Enterprise Security from the new threat feed.
- Click Submit to search.
- Click the Network tab and review the Domain Intelligence panel to verify that threat intelligence from the
ransomware_tracker
threat source appears.
Add a TAXII feed
Add threat intelligence provided as a TAXII feed to Splunk Enterprise Security.
Prerequisite
Determine whether the TAXII feed requires certificate authentication. If it does, add the certificate and keys to the same app directory in which you define the TAXII feed. For example, DA-ESS-ThreatIntelligence.
You need file system access to add the certificates needed for certificate authentication. In a Splunk Cloud deployment, work with Splunk Support to add or change files on cloud-based nodes.
- Add the certificate to the
$SPLUNK_HOME/etc/apps/<app_name>/auth
directory. - Add the private key for the certificate to the same
/auth
directory. - Follow the steps for adding a TAXII feed to Splunk Enterprise Security, using the
cert_file
andkey_file
POST arguments to specify the file names of the certificate and private key file.
Steps
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
- Click New to add a new TAXII feed.
- Type a Name for the threat intelligence feed.
- Type a Type of taxii.
- Type a Description for the threat intelligence feed.
- Type a URL to use to download the TAXII feed.
- (Optional) Change the default Weight for the threat intelligence feed. Increase the weight if the threats on the threat feed are high-confidence and malicious threats that should increase the risk score for assets and identities that interact with the indicators from the threat source.
- (Optional) Adjust the interval at which to download the threat intelligence. Defaults to 43200 seconds, or twice a day.
- Type TAXII-specific space-delimited POST arguments for the threat intelligence feed.
<POST argument>="<POST argument value>"
Example POST argument Description Example collection Name of the data collection from a TAXII feed. collection="A_TAXII_Feed_Name"
earliest The earliest threat data to pull from the TAXII feed. earliest="-1y"
taxii_username An optional method to provide a TAXII feed username. taxii_username="user"
taxii_password An optional method to provide a TAXII feed password. If you provide a username without providing a password, the threat intelligence modular input attempts to find the password in Credential Management. taxii_password="password"
cert_file Add the certificate file name if the TAXII feed uses certificate authentication. The file name must match exactly and is case sensitive. cert_file="cert.crt"
key_file Add the key file name for the certificate if the TAXII feed uses certificate authentication. The file name must match exactly and is case sensitive. key_file="cert.key"
- TAXII feeds do not use the Maximum age setting.
- TAXII feeds do not use the User agent setting.
- TAXII feeds do not use the Parsing Options settings.
- (Optional) Change the Download Options.
- (Optional) Change the Proxy Options. See Configure a proxy for retrieving threat intelligence.
- Save the changes.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Configure the threat intelligence sources included with Splunk Enterprise Security | Upload a STIX or OpenIOC structured threat intelligence file in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4
Feedback submitted, thanks!