Verify that you have added threat intelligence successfully to Splunk Enterprise Security
After you add new or configure included threat intelligence sources, verify that the threat intelligence is being parsed successfully and that threat indicators are being added to the threat intelligence KV Store collections. The modular input responsible for parsing threat intelligence runs every 60 seconds.
Verify that the threat intelligence source is being downloaded
This verification procedure is relevant only for URL-based sources and TAXII feeds.
- From the Enterprise Security menu bar, select Audit > Threat Intelligence Audit.
- Find the threat intelligence source and confirm that the download_status column states threat list downloaded.
- Review the Threat Intelligence Audit Events to see if there are errors associated with the lookup name.
If the download fails, attempt the download directly from the terminal of the Splunk server using a curl or wget utility. If the threat intelligence source can be successfully downloaded using one of these utilities, but is not being downloaded successfully in Splunk Enterprise Security, ask your system administrator whether you need to specify a custom user-agent string to bypass network security controls in your environment. See step 10 in Add a URL-based threat source.
Verify that threat indicators exist in the threat collections
Verify that the threat intelligence was successfully parsed and threat indicators exist in the threat collections.
- Select Security Intelligence > Threat Intelligence > Threat Artifacts.
- Search for the threat source name in the Intel Source ID field.
- Confirm that threat indicators exist for the threat source.
Troubleshoot parsing errors
Review the following log files to troubleshoot errors that can occur when parsing threat intelligence sources in order to add them to Enterprise Security.
|Issues related to downloading threat intelligence sources.||Look at the Threat Intelligence Audit Events panel on the Threat Intelligence Audit dashboard. Look for events from the |
|Issues related to parsing or processing.||Look at the Threat Intelligence Audit Events panel on the Threat Intelligence Audit dashboard. Look for events from the |
|Errors result from uploading a file.||Review the |
|Other parsing errors.|| Verify that the modular inputs are running as expected. See |
Add threat intelligence with a custom lookup file in Splunk Enterprise Security
Change existing threat intelligence in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6