Example: Add a ransomware threat feed to Splunk Enterprise Security
This example describes how to add a list of blocked domains that could host ransomware to Splunk Enterprise Security to better prepare your organization for a ransomware attack. The feed used in this example is from abuse.ch.
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
- Click New to add a new threat intelligence source.
- Type a Name of ransomware_tracker to describe the threat download source.
- Type a Type of domain to identify the type of threat intelligence contained in the threat source.
- Type a Description of Blocked domains that could host ransomware.
- Type a URL of
- (Optional) Change the default Weight of 1 to 2 because ransomware is a severe threat and you want an extra risk score multiplier for assets or identities associated with blocked ransomware domains.
- Leave the default Interval of 43200 seconds, or every 12 hours.
- Leave the POST arguments field blank because this type of feed does not accept POST arguments.
- Decide whether to define a Maximum age for the threat intelligence. According to the ransomware tracker website, items on the blocklist stay on the blocklist for 30 days. To drop items off the blocklist in Enterprise Security sooner than that, set a maximum age of less than 30 days. Type a maximum age of
- Determine whether you need to specify a User agent string due to security controls in your environment. If not, leave this field blank.
- Type a default Delimiting regular expression of
:so that you can enrich the threat indicators by adding fields.
- Leave the Extracting regular expression field blank because the domain names do not need to be extracted because they are line-delimited.
- Type Fields of
domain:$1,description:ransomware_domain_blocklistto define the fields in this blocklist.
- (Optional) Leave the default Ignoring regular expressions field.
- Change the Skip header lines field to 0 because the ignoring regular expression ignores the comments at the top of the feed.
- Leave the Retry interval at the default of 60 seconds.
- (Optional) Leave the Remote site user and Remote site user realm fields blank because this feed does not require any form of authentication.
- Leave the Retries field at the default of 3.
- Leave the Timeout field at the default of 30 seconds.
- Ignore the Proxy Options section unless you are using a proxy server to add threat intelligence to Splunk Enterprise Security.
- Click Save.
- From the Splunk platform menu bar, select Apps > Enterprise Security to return to Splunk Enterprise Security.
- From the Enterprise Security menu bar, select Audit > Threat Intelligence Audit.
- Fiind the ransomware_tracker stanza in the Threat Intelligence Downloads panel and verify that the status is threat list downloaded.
- From the Enterprise Security menu bar, select Security Intelligence > Threat Intelligence > Threat Artifacts.
- Type an Intel Source ID of ransomware_tracker to search for domains added to Splunk Enterprise Security from the new threat feed.
- Click Submit to search.
- Click the Network tab and review the Domain Intelligence panel to verify that threat intelligence from the
ransomware_trackerthreat source appears.
Change existing intelligence in Splunk Enterprise Security
Add intelligence to Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0