Download threat intelligence data from intelligence feed REST APIs to Splunk Enterprise Security
In a Splunk Cloud Platform environment, all threat intelligence downloads (including taxii feeds) must contain URLs with the https://
protocol. URLs that do not use the https://
protocol are blocked in the Splunk Cloud Platform environment, which impacts downloading threat intelligence feeds. Additionally, the default threat intelligence feed called hailataxii_malware
that uses a URL with the http://
protocol, http://hailataxii.com/taxii-data
does not work in a Splunk Cloud Platform environment even if the URL is updated to use https://
.
Splunk Enterprise Security can periodically download a threat intelligence feed available from the Internet, parse it, and add it to the relevant KV Store collections.
- Follow the procedure that matches the format of the threat source:
If you manually turn off a threat artifact in a collection, but the threat intelligence source provides the same indicator in a download again, then the entry in KVStore gets overwritten, and does not preserve your flag.
Configure a proxy for retrieving threat intelligence
If you use a proxy server to send threat intelligence to Splunk Enterprise Security, configure the proxy options for the threat source.
The user must correspond to the name of a Splunk secure stored credential in Credential Management. If you remove an existing proxy user and password in the Intelligence Download Setting editor, the download process no longer references the stored credentials. Removing the reference to the credential does not delete the stored credentials from Credential Management. See Manage credentials in Splunk Enterprise Security.
For more information on configuring proxy server settings, see Configure proxy server settings.
Add a URL-based threat source
Add a non-TAXII source of intelligence that is available from a URL on the Internet.
- On the Enterprise Security menu bar, select Configure > Data Enrichment >Threat Intelligence Management.
- Click New to add a new intelligence source.
- Type a Name for the threat download. The name can only contain alphanumeric characters, hyphens, and underscores. The name cannot contain spaces.
- Select or deselect the check box for Is Threat Intelligence.
- (Optional) Select or deselect the check box for Sinkhole. Select the check box to delete the downloaded file after processing.
- Type a Type for the threat download. The type identifies the type of threat indicator that the feed contains.
- Type a Description. Describe the indicators in the threat feed.
- Type an integer to use as the Weight for the threat indicators. Enterprise Security uses the weight of a threat feed to calculate the risk score of an asset or identity associated with an indicator on the threat feed. A higher weight indicates an increased relevance or an increased risk to your environment.
- (Optional) Change the default download Interval for the threat feed. Defaults to 43200 seconds, or every 12 hours.
- (Optional) Type POST arguments for the threat feed. You can use POST arguments to retrieve user credentials from Credential Management. Use the format
key=$user:<username>$
orkey=$user:<username>,realm:<realm>$
to specify a username and realm. - (Optional) Type a Maximum age to define the retention period for this threat source, defined in relative time. Turn on the corresponding saved searches for this setting to take effect. See Configure threat source retention.
For example,-7d
. If the time that the feed was last updated is greater than the maximum age defined with this setting, the threat intelligence modular input removes the data from the threat collection. - (Optional) If you need to specify a custom User agent string to bypass network security controls in your environment, type it in the format
<user-agent>/<version>
. For example,Mozilla/5.0
orAppleWebKit/602.3.12
. The value in this field must match this regex:([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+)
. Check with your security device administrator to ensure the string you type here is accepted by your network security controls. - Fill out the Parsing Options fields to make sure that your threat list parses successfully. You must fill out either a delimiting regular expression or an extracting regular expression. You cannot leave both fields blank.
Field Description Example Delimiting regular expression A regular expression string used to split, or delimit, lines in an intelligence source. For complex delimiters, use an extracting regular expression. ,
or:
or\t
Extracting regular expression A regular expression used to extract fields from individual lines of a threat source document. The value of the extracting regular expression must be paired with the Fields value because the regular expression extracts fields based on regex groups, not matches. For more information on regex groups, see https://regexone.com/lesson/capturing_groups. ^(\S+)\t+(\S+)\t+\S+\t+\S+\t*(\S*)
Fields Required if your document is line-delimited. Comma-separated list of fields to be extracted from the threat list. Can also be used to rename or combine fields. Description is a required field. Additional acceptable fields are the fields in the corresponding KV Store collection for the threat intelligence, visible in the local lookup files or the DA-ESS-ThreatIntelligence/collections.conf
file. Defaults todescription:$1,ip:$2
.<fieldname>:$<number>,<field name>.$<number>
ip:$1,description:domain_blocklist
Ignoring regular expression A regular expression used to ignore lines in a threat source. Defaults to ignoring blank lines and comments beginning with #. ^\s*$)
Skip header lines The number of header lines to skip when processing the threat source. 0
Intelligence file encoding If the file encoding is something other than ASCII or UTF8, specify the encoding here. Leave blank otherwise. latin1 - (Optional) Change the Download Options fields to make sure that your threat list downloads successfully.
Field Description Example Retry interval Number of seconds to wait between download retry attempts. Review the recommended poll interval of the threat source provider before changing the retry interval. 60 Remote site user If the threat feed requires authentication, type the user name to use in remote authentication, if required. The user name you add in this field must match the name of a credential in Credential Management. See Manage input credentials in Splunk Enterprise Security. buttercup Remote site user realm If the threat feed requires authentication, type the user name to use in remote authentication, if required. The realm you add in this field must match the realm of a credential in Credential Management. See Manage input credentials in Splunk Enterprise Security. paddock Retries The maximum number of retry attempts. 3 Timeout Number of seconds to wait before marking a download attempt as failed. 30 - (Optional) If you are using a proxy server, fill out the Proxy Options for the threat feed. See Configure a proxy for retrieving threat intelligence.
- Save your changes.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Add a TAXII feed
Add threat intelligence provided as a TAXII feed to Splunk Enterprise Security.
Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.
Prerequisite
Determine whether the TAXII feed requires certificate authentication. If it does, add the certificate and keys to the same app directory in which you define the TAXII feed. For example, DA-ESS-ThreatIntelligence.
- Follow the steps to add a new certificate to Splunk Enterprise Security to add both the certificate and the private key files. See Manage credentials in Splunk Enterprise Security.
- Follow the steps for adding a TAXII feed to Splunk Enterprise Security, using the
cert_file
andkey_file
POST arguments to specify the file names of the certificate and private key file.
Steps
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
- Click New to add a new TAXII feed.
- Type a Name for the threat intelligence feed.
- Type a Description and URL for the threat intelligence field.
- Verify that the check box for Is Threat Intelligence is selected.
- (Optional) Select or deselect the check box for Sinkhole. Select the check box to delete the downloaded file after processing. The sinkhole option works for anything in the pickup directory that has been processed. The pickup directories follow:
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/default/data/threat_intel $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel $SPLUNK_HOME/etc/apps/<custom>
- Type a Type of taxii.
- Type a Description for the threat intelligence feed.
- Type a URL to use to download the TAXII feed.
- (Optional) Change the default Weight for the threat intelligence feed. Increase the weight if the threats on the threat feed are high-confidence and malicious threats that should increase the risk score for assets and identities that interact with the indicators from the threat source.
- (Optional) Adjust the interval at which to download the threat intelligence. Defaults to 43200 seconds, or twice a day.
- Type TAXII-specific space-delimited POST arguments for the threat intelligence feed.
<POST argument>="<POST argument value>"
Example POST argument Description Example collection Name of the data collection from a TAXII feed. collection="A_TAXII_Feed_Name"
earliest The earliest threat data to pull from the TAXII feed. You can use the "earliest" POST argument only when the modular input runs for the first time. All subsequent runs of the modular input use the timestamp of the last modular input as the "earliest" POST argument.
earliest="-1y"
taxii_username An optional method to provide a TAXII feed username. taxii_username="user"
taxii_password An optional method to provide a TAXII feed password. If you provide a username without providing a password, the threat intelligence modular input attempts to find the password in Credential Management. See Manage credentials in Splunk Enterprise Security. taxii_password="password"
taxii_username_realm An optional method to provide a realm for the TAXII feed username. Used with the taxii_username
to locate the user credential password in Credential Management.taxii_username_realm="realm"
cert_file Add the certificate file name if the TAXII feed uses certificate authentication. The file name must match exactly and is case sensitive. cert_file="cert.crt"
key_file Add the key file name for the certificate if the TAXII feed uses certificate authentication. The file name must match exactly and is case sensitive. key_file="cert.key"
- TAXII feeds do not use the Maximum age setting. To configure file retention for TAXII files, see Configure intelligence file retention.
- TAXII feeds do not use the User agent setting.
- TAXII feeds do not use the Parsing Options settings.
- (Optional) Change the Download Options.
- (Optional) Change the Proxy Options. See Configure a proxy for retrieving threat intelligence.
- Save the changes.
You cannot use an authenticated proxy with a TAXII feed because the libtaxii library used by Enterprise Security does not support authenticated proxies. If possible, use an unauthenticated proxy instead.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Activate threat intelligence data source integrations in Splunk Enterprise Security | Upload a STIX or OpenIOC structured threat intelligence file in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!