Add threat intelligence with a custom lookup file in Splunk Enterprise Security

You can add threat intelligence to Splunk Enterprise Security as a custom lookup file. A lookup-based threat source can add data to any of the supported threat intelligence types, such as file or IP intelligence. See Supported types of threat intelligence in Splunk Enterprise Security.

Prerequisite

• Identify whether the custom threat source is certificate, domain, email, file, HTTP, IP, process, registry, service, or user intelligence.
• Identify the headers for the CSV file that correspond to the type of threat intelligence that you want to add by reviewing the Supported types of threat intelligence in Splunk Enterprise Security.

Steps

Based on the type of intelligence you add to Splunk Enterprise Security and the required headers, create a CSV file.

1. Create a .csv file with a header row with the required fields.
2. Add the threat data to the .csv file.

After you create the lookup file, you must add it to Splunk Enterprise Security.

1. On the Splunk platform menu bar, select Settings > Lookups
2. Next to Lookup table files, click Add New.
3. Select a Destination App of SA-ThreatIntelligence.
4. Upload the .csv file you created.
5. Type a Destination filename for the file. For example, threatindicatorszerodayattack.csv.
6. Save.

After adding the threat intel lookup to Enterprise Security, set appropriate permissions so Enterprise Security can use the file.

1. Open Lookup table files.
2. Find the lookup file that you added and select Permissions.
3. Select All apps for the Object should appear in field.
4. Select Read access for Everyone.
5. Select Write access for admin.
6. Save.

Define the lookup so that Splunk ES can import it and understand what type of intelligence you are adding.

1. On the Splunk platform menu bar, select Settings > Lookups.
2. Next to Lookup definitions, click Add New.
3. Select a Destination App of SA-ThreatIntelligence.
4. Type a name for the threat source. The name you enter here is used to define the threatlist in the input stanza. For example, zero_day_attack_threat_indicators_list.
5. Select a Type: of File based.
6. Select the Lookup File: that you added in step one. For example, threatindicatorszerodayattack.csv.
7. Save.

Set permissions on the lookup definition so that the lookup functions properly.

1. Open Lookup definitions
2. Find the definition you added in step four and select Permissions.
3. Set Object should appear in to All apps.
4. Set Read access for Everyone.
5. Set Write access for admin.
6. Save.

Add a threat source input stanza that corresponds to the lookup file so that ES knows where to find the new threat intelligence.

1. Select Configure > Data Enrichment > Threat Intelligence Downloads.
2. Choose a threat source input that matches your new content. For example, local_file_intel.
3. Click Clone in the Actions column.
4. Type a Name. The name cannot include spaces. For example, zero_day_attack_threat_indicators.
5. Type a Type. For example, zero_day_IOCs
6. Type a Description. For example, File-based threat indicators from zero day malware.
7. Type a URL that references the lookup definition you created in step three. lookup://zero_day_attack_threat_indicators_list.
8. (Optional) Change the default Weight for the threat data.
9. (Optional) Change the default Retry interval for the lookup.

Next step

To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.

If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.