Use generic intelligence in search with inputintelligence
After you add generic intelligence to Splunk Enterprise Security, you can use the inputintelligence
command to make use of the intelligence. See Add generic intelligence to Splunk Enterprise Security.
The inputintelligence
command cannot be used with threat intelligence sources.
Description
Use the inputintelligence
command to add intelligence from the threatlist directory to your search results. When downloaded, generic intelligence is parsed and stored in the $SPLUNK_DB/modinputs/threatlist
directory.
Run the inputintelligence
command on the search head where the input is configured within a search head cluster environment. Searches may fail if you run the inputintelligence
command on search peers in a search head cluster.
Syntax
| inputintelligence <threatlist_stanza_name> [fields=<string>] [delim_regex=<string>] [extract_regex=<string>] [ignore_regex=<string>] [skip_header_lines=<int>] [include_raw=<bool>] [append=<bool>] [no_parse=<bool>]
Required arguments
threatlist_stanza_name
- Syntax: <string>
- Description: The stanza of the intelligence download. Matches the Name field on the Intelligence Downloads page. You cannot have mutiple stanzas in in one search. Instead, you can combine multiple
inputintelligence
commands together and append the results with theappend=1
argument. See Download an intelligence feed from the Internet in Splunk Enterprise Security.
Optional arguments
fields
- Syntax: <string>
- Description: Overrides the default fields setting for the intelligence download defined in the Intelligence Download page. Required if your document is line-delimited. Comma-separated list of fields to be extracted from the intelligence list. Can also be used to rename or combine fields. Description is a required field. Additional acceptable fields are the fields in the corresponding KV Store collection for the threat intelligence, visible in the local lookup files or the
DA-ESS-ThreatIntelligence/collections.conf
configuration file. No default value. If there is no value specified, thefields
argument is parsed from the header of the CSV file. The list of fields can have any name and are not required to map to KV Store collections in theDA-ESS-ThreatIntelligence/collections.conf
configuration file.
delim_regex
- Syntax: <string>
- Description: Overrides the default delimiting regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression string used to split, or delimit, lines in an intelligence source. For complex delimiters, use an extracting regular expression.
extract_regex
- Syntax: <string>
- Description: Overrides the default extracting regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression used to extract fields from individual lines of an intelligence source document. Use to extract values in the intelligence source.
ignore_regex
- Syntax: <string>
- Description: Overrides the default ignore regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression used to ignore lines in an intelligence source. Defaults to ignoring blank lines and comments that begin with #.
skip_header_lines
- Syntax: <int>
- Description: Overrides the default skip header lines setting for the intelligence download defined in the Intelligence Download page. The number of header lines to skip when processing the intelligence source.
- Default: 0
include_raw
- Syntax: <bool>
- Description: If 1, t, or true, adds the original line content to an additional column called raw.
- Default: 0
append
- Syntax: <bool>
- Description: If 1, t, or true, appends the results of the
inputintelligence
command to an existing set of search results instead of replacing it. - Default: 0
no_parse
- Syntax: <bool>
- Description: If 1, t, or true all other options are ignored and the raw contents of the intelligence file is returned one line per row.
- Default: 0
Usage
The inputintelligence
command is a transforming command.
Examples
1. View the top one million sites
View the top one million sites according to Cisco.
| inputintelligence cisco_top_one_million_sites
2. Further examples
See Example: Add a generic intelligence source to Splunk Enterprise Security.
See also
Download an intelligence feed from the Internet in Splunk Enterprise Security | Example: Add a generic intelligence source to Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!