Verify that you have added threat intelligence successfully to Splunk Enterprise Security
After you add new or configure included threat intelligence sources, verify that the threat intelligence is being parsed successfully and that threat indicators are being added to the threat intelligence KV Store collections. The modular input responsible for parsing threat intelligence runs every 60 seconds.
Verify that the threat intelligence source is being downloaded
This verification procedure is relevant only for URL-based sources and TAXII feeds.
- From the Enterprise Security menu bar, select Audit > Threat Intelligence Audit.
- Find the threat intelligence source and confirm that the download_status column states threat list downloaded.
- Review the Threat Intelligence Audit Events to see if there are errors associated with the lookup name.
If the download fails, attempt the download directly from the terminal of the Splunk server using a curl or wget utility. If the threat intelligence source can be successfully downloaded using one of these utilities, but is not being downloaded successfully in Splunk Enterprise Security, ask your system administrator whether you need to specify a custom user-agent string to bypass network security controls in your environment. See step 10 in Add a URL-based threat source.
Verify that threat indicators exist in the threat collections
Verify that the threat intelligence was successfully parsed and threat indicators exist in the threat collections.
- Select Security Intelligence > Threat Intelligence > Threat Artifacts.
- Search for the threat source name in the Intel Source ID field.
- Confirm that threat indicators exist for the threat source.
Troubleshoot parsing errors
Review the following log files to troubleshoot errors that can occur when parsing threat intelligence sources in order to add them to Enterprise Security.
Problem | Suggestion |
---|---|
Issues related to downloading threat intelligence sources. | Look at the Threat Intelligence Audit Events panel on the Threat Intelligence Audit dashboard. Look for events from the threatlist.log file with the threatintel:download sourcetype.
|
Issues related to parsing or processing. | Look at the Threat Intelligence Audit Events panel on the Threat Intelligence Audit dashboard. Look for events from the threat_intelligence_manager.log file with the threatintel:manager sourcetype.
|
Errors result from uploading a file. | Review the threat_intel_file_upload_rest_handler.log file.
|
Other parsing errors. | Verify that the modular inputs are running as expected. See python_modular_input.log for errors associated with modular input failures.
|
Add threat intelligence with a custom lookup file in Splunk Enterprise Security | Change existing threat intelligence in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
Feedback submitted, thanks!