Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Add threat intelligence with a custom lookup file in Splunk Enterprise Security

You can add threat intelligence to Splunk Enterprise Security as a custom lookup file. A lookup-based threat source can add data to any of the supported threat intelligence types, such as file or IP intelligence. See Supported types of threat intelligence in Splunk Enterprise Security.

Prerequisite

Steps

Based on the type of intelligence you add to Splunk Enterprise Security and the required headers, create a CSV file.

  1. Create a .csv file with a header row with the required fields.
  2. Add the threat data to the .csv file.

After you create the lookup file, you must add it to Splunk Enterprise Security.

  1. On the Splunk platform menu bar, select Settings > Lookups
  2. Next to Lookup table files, click Add New.
  3. Select a Destination App of SA-ThreatIntelligence.
  4. Upload the .csv file you created.
  5. Type a Destination filename for the file. For example, threatindicatorszerodayattack.csv.
  6. Save.

After adding the threat intel lookup to Enterprise Security, set appropriate permissions so Enterprise Security can use the file.

  1. Open Lookup table files.
  2. Find the lookup file that you added and select Permissions.
  3. Select All apps for the Object should appear in field.
  4. Select Read access for Everyone.
  5. Select Write access for admin.
  6. Save.

Define the lookup so that Splunk ES can import it and understand what type of intelligence you are adding.

  1. On the Splunk platform menu bar, select Settings > Lookups.
  2. Next to Lookup definitions, click Add New.
  3. Select a Destination App of SA-ThreatIntelligence.
  4. Type a name for the threat source. The name you enter here is used to define the threatlist in the input stanza. For example, zero_day_attack_threat_indicators_list.
  5. Select a Type: of File based.
  6. Select the Lookup File: that you added in step one. For example, threatindicatorszerodayattack.csv.
  7. Save.

Set permissions on the lookup definition so that the lookup functions properly.

  1. Open Lookup definitions
  2. Find the definition you added in step four and select Permissions.
  3. Set Object should appear in to All apps.
  4. Set Read access for Everyone.
  5. Set Write access for admin.
  6. Save.

Add a threat source input stanza that corresponds to the lookup file so that ES knows where to find the new threat intelligence.

  1. Select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Choose a threat source input that matches your new content. For example, local_file_intel.
  3. Click Clone in the Actions column.
  4. Type a Name. The name cannot include spaces. For example, zero_day_attack_threat_indicators.
  5. Type a Type. For example, zero_day_IOCs
  6. Type a Description. For example, File-based threat indicators from zero day malware.
  7. Type a URL that references the lookup definition you created in step three. lookup://zero_day_attack_threat_indicators_list.
  8. (Optional) Change the default Weight for the threat data.
  9. (Optional) Change the default Retry interval for the lookup.

Next step

To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.

If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.

PREVIOUS
Add and maintain threat intelligence locally in Splunk Enterprise Security
  NEXT
Verify that you have added threat intelligence successfully to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters