Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. Click here for the latest version.
Acrobat logo Download topic as PDF

Example: Add a ransomware threat feed to Splunk Enterprise Security

This example describes how to add a list of blocked domains that could host ransomware to Splunk Enterprise Security to better prepare your organization for a ransomware attack. Replace the feed used in this example with a feed of your choice.

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
  2. Click New to add a new threat intelligence source.
  3. Type a Name of ransomware_tracker to describe the threat download source.
  4. Type a Type of domain to identify the type of threat intelligence contained in the threat source.
  5. Type a Description of Blocked domains that could host ransomware.
  6. Type a URL of https://v.firebog.net/hosts/Shalla-mal.txt.
  7. (Optional) Change the default Weight of 1 to 2 because ransomware is a severe threat and you want an extra risk score multiplier for assets or identities associated with blocked ransomware domains.
  8. Leave the default Interval of 43200 seconds, or every 12 hours.
  9. Leave the POST arguments field blank because this type of feed does not accept POST arguments.
  10. Decide whether to define a Maximum age for the threat intelligence. According to the ransomware tracker website, items on the blocklist stay on the blocklist for 30 days. To drop items off the blocklist in Enterprise Security sooner than that, set a maximum age of less than 30 days. Type a maximum age of -7d.
  11. Determine whether you need to specify a User agent string due to security controls in your environment. If not, leave this field blank.
  12. Type a default Delimiting regular expression of : so that you can enrich the threat indicators by adding fields.
  13. Leave the Extracting regular expression field blank because the domain names do not need to be extracted because they are line-delimited.
  14. Type Fields of domain:$1,description:ransomware_domain_blocklist to define the fields in this blocklist.
  15. (Optional) Leave the default Ignoring regular expressions field.
  16. Change the Skip header lines field to 0 because the ignoring regular expression ignores the comments at the top of the feed.
  17. Leave the Retry interval at the default of 60 seconds.
  18. (Optional) Leave the Remote site user and Remote site user realm fields blank because this feed does not require any form of authentication.
  19. Leave the Retries field at the default of 3.
  20. Leave the Timeout field at the default of 30 seconds.
  21. Ignore the Proxy Options section unless you are using a proxy server to add threat intelligence to Splunk Enterprise Security.
  22. Click Save.
  23. From the Splunk platform menu bar, select Apps > Enterprise Security to return to Splunk Enterprise Security.
  24. From the Enterprise Security menu bar, select Audit > Threat Intelligence Audit.
  25. Fiind the ransomware_tracker stanza in the Threat Intelligence Downloads panel and verify that the status is threat list downloaded.
  26. From the Enterprise Security menu bar, select Security Intelligence > Threat Intelligence > Threat Artifacts.
  27. Type an Intel Source ID of ransomware_tracker to search for domains added to Splunk Enterprise Security from the new threat feed.
  28. Click Submit to search.
  29. Click the Network tab and review the Domain Intelligence panel to verify that threat intelligence from the ransomware_tracker threat source appears.
Last modified on 06 November, 2020
Change existing intelligence in Splunk Enterprise Security
Add intelligence to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters