Configure the threat intelligence sources included with Splunk Enterprise Security

Splunk Enterprise Security includes several threat intelligence sources that retrieve information across the Internet.

Some of these threat intelligence sources are enabled by default.

Prerequisites

Your Splunk Enterprise deployment must be connected to the Internet. If your deployment is not connected to the Internet, disable these threat sources or source them in an alternate way.
To set up firewall rules for these threat sources, you might want to use a proxy server to collect the threat intelligence before forwarding it to Splunk Enterprise Security and allow the IP address for the proxy server to access Splunk Enterprise Security. The IP addresses for these threat sources can change.

Steps

From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
Review the Description field for all defined threat intelligence sources to learn more about the types of indicators that can be correlated with your events.
Enable or disable the threat intelligence sources that fit your security use cases.
Configure the enabled threat intelligence sources that fit your security use cases, using the links to the threat source websites in the table to review the threat source provider's documentation. Each threat source website provides suggestions for polling intervals and other configuration requirements separate from Splunk Enterprise Security.

Threat source	Threat list provider	Website about the threat source
Emerging Threats compromised IPs blocklist	Emerging Threats	http://rules.emergingthreats.net/blockrules
Emerging Threats firewall IP rules	Emerging Threats	http://rules.emergingthreats.net/fwrules
Malware domain host list	Hail a TAXII.com	http://hailataxii.com
iblocklist Logmein	I-Blocklist	https://www.iblocklist.com/lists
iblocklist Piratebay	I-Blocklist	https://www.iblocklist.com/lists
iblocklist Proxy	I-Blocklist	https://www.iblocklist.com/lists
iblocklist Rapidshare	I-Blocklist	https://www.iblocklist.com/lists
iblocklist Spyware	I-Blocklist	https://www.iblocklist.com/lists
iblocklist Tor	I-Blocklist	https://www.iblocklist.com/lists
iblocklist Web attacker	I-Blocklist	https://www.iblocklist.com/lists
Malware Domain Blocklist	Malware Domains	http://mirror1.malwaredomains.com
Phishtank Database	Phishtank	https://www.phishtank.com/
SANS blocklist	SANS	https://isc.sans.edu
abuse.ch ZeuS blocklist (bad IPs only)	abuse.ch	https://zeustracker.abuse.ch
abuse.ch ZeuS blocklist (standard)	abuse.ch	https://zeustracker.abuse.ch

Splunk Enterprise Security expects all threat intelligence feeds to send properly-formatted data and valuable threat intelligence information. Feed providers are responsible for malformed data or false positives that could be identified in your environment as a result.

Some lists included in Splunk Enterprise Security are not added to the threat intelligence collections and are instead used to enrich data in Enterprise Security.

Data list	Data provider	Website for data provider
Alexa Top 1 Million Sites	Alexa Internet	http://www.alexa.com/topsites
Mozilla Public Suffix List	Mozilla	https://publicsuffix.org
ICANN Top-level Domains List	IANA	http://www.iana.org/domains/root/db

If you determine that your Splunk Enterprise Security installation is retrieving data from unexpected IP addresses, perform a WHOIS or nslookup to determine if the IP address matches that of one of the threat sources configured in your environment.

Next step

To add a custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.

If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.

Related answers from Splunk Community

Configure the threat intelligence sources included with Splunk Enterprise Security

Comments

Was this topic useful?