Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Verify that you have added threat intelligence successfully to Splunk Enterprise Security

After you add new or configure included threat intelligence sources, verify that the threat intelligence is being parsed successfully and that threat indicators are being added to the threat intelligence KV Store collections. The modular input responsible for parsing threat intelligence runs every 60 seconds.

Verify that the threat intelligence source is being downloaded

This verification procedure is relevant only for URL-based sources and TAXII feeds.

  1. From the Enterprise Security menu bar, select Audit > Threat Intelligence Audit.
  2. Find the threat intelligence source and confirm that the download_status column states threat list downloaded.
  3. Review the Threat Intelligence Audit Events to see if there are errors associated with the lookup name.

If the download fails, attempt the download directly from the terminal of the Splunk server using a curl or wget utility. If the threat intelligence source can be successfully downloaded using one of these utilities, but is not being downloaded successfully in Splunk Enterprise Security, ask your system administrator whether you need to specify a custom user-agent string to bypass network security controls in your environment. See step 10 in Add a URL-based threat source.

Verify that threat indicators exist in the threat collections

Verify that the threat intelligence was successfully parsed and threat indicators exist in the threat collections.

  1. Select Security Intelligence > Threat Intelligence > Threat Artifacts.
  2. Search for the threat source name in the Intel Source ID field.
  3. Confirm that threat indicators exist for the threat source.

Troubleshoot parsing errors

Review the following log files to troubleshoot errors that can occur when parsing threat intelligence sources in order to add them to Enterprise Security.

Problem Suggestion
Issues related to downloading threat intelligence sources. Look at the Threat Intelligence Audit Events panel on the Threat Intelligence Audit dashboard. Look for events from the threatlist.log file with the threatintel:download sourcetype.
Issues related to parsing or processing. Look at the Threat Intelligence Audit Events panel on the Threat Intelligence Audit dashboard. Look for events from the threat_intelligence_manager.log file with the threatintel:manager sourcetype.
Errors result from uploading a file. Review the threat_intel_file_upload_rest_handler.log file.
Other parsing errors. Verify that the modular inputs are running as expected. See python_modular_input.log for errors associated with modular input failures.
Last modified on 25 August, 2017
Add threat intelligence with a custom lookup file in Splunk Enterprise Security   Change existing threat intelligence in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters