Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Use generic intelligence in search with inputintelligence

After you add generic intelligence to Splunk Enterprise Security, you can use the inputintelligence command to make use of the intelligence. See Add generic intelligence to Splunk Enterprise Security.

The inputintelligence command cannot be used with threat intelligence sources.

Description

Use the inputintelligence command to add intelligence from the threatlist directory to your search results. When downloaded, generic intelligence is parsed and stored in the $SPLUNK_DB/modinputs/threatlist directory.

Run the inputintelligence command on the search head where the input is configured within a search head cluster environment. Searches may fail if you run the inputintelligence command on search peers in a search head cluster.

Syntax

| inputintelligence <threatlist_stanza_name> [fields=<string>] [delim_regex=<string>] [extract_regex=<string>] [ignore_regex=<string>] [skip_header_lines=<int>] [include_raw=<bool>] [append=<bool>] [no_parse=<bool>]

Required arguments

threatlist_stanza_name

Syntax: <string>
Description: The stanza of the intelligence download. Matches the Name field on the Intelligence Downloads page. You cannot have mutiple stanzas in in one search. Instead, you can combine multiple inputintelligence commands together and append the results with the append=1 argument. See Download an intelligence feed from the Internet in Splunk Enterprise Security.

Optional arguments

fields

Syntax: <string>
Description: Overrides the default fields setting for the intelligence download defined in the Intelligence Download page. Required if your document is line-delimited. Comma-separated list of fields to be extracted from the intelligence list. Can also be used to rename or combine fields. Description is a required field. Additional acceptable fields are the fields in the corresponding KV Store collection for the threat intelligence, visible in the local lookup files or the DA-ESS-ThreatIntelligence/collections.conf configuration file. No default value. If there is no value specified, the fields argument is parsed from the header of the CSV file. The list of fields can have any name and are not required to map to KV Store collections in the DA-ESS-ThreatIntelligence/collections.conf configuration file.


delim_regex

Syntax: <string>
Description: Overrides the default delimiting regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression string used to split, or delimit, lines in an intelligence source. For complex delimiters, use an extracting regular expression.

extract_regex

Syntax: <string>
Description: Overrides the default extracting regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression used to extract fields from individual lines of an intelligence source document. Use to extract values in the intelligence source.

ignore_regex

Syntax: <string>
Description: Overrides the default ignore regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression used to ignore lines in an intelligence source. Defaults to ignoring blank lines and comments that begin with #.

skip_header_lines

Syntax: <int>
Description: Overrides the default skip header lines setting for the intelligence download defined in the Intelligence Download page. The number of header lines to skip when processing the intelligence source.
Default: 0

include_raw

Syntax: <bool>
Description: If 1, t, or true, adds the original line content to an additional column called raw.
Default: 0

append

Syntax: <bool>
Description: If 1, t, or true, appends the results of the inputintelligence command to an existing set of search results instead of replacing it.
Default: 0

no_parse

Syntax: <bool>
Description: If 1, t, or true all other options are ignored and the raw contents of the intelligence file is returned one line per row.
Default: 0

Usage

The inputintelligence command is a transforming command.

Examples

1. View the top one million sites

View the top one million sites according to Cisco.

| inputintelligence cisco_top_one_million_sites

2. Further examples

See Example: Add a generic intelligence source to Splunk Enterprise Security.

See also

inputlookup

Last modified on 09 January, 2024
Download an intelligence feed from the Internet in Splunk Enterprise Security   Example: Add a generic intelligence source to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters