Configure threat intelligence sources in Splunk Enterprise Security
Configure threat intelligence sources to get intelligence data in Splunk Enterprise Security. The configuration process for intelligence sources is different depending on the threat intelligence system you have access to.
To configure sources for the threat intelligence management system, see Configure sources for threat intelligence management.
To configure sources for the threat intelligence management (cloud) system, see Configure sources for threat intelligence management (cloud).
Configure sources for threat intelligence management
Configure sources for threat intelligence management by turning on intelligence sources included with Splunk Enterprise Security or by adding your own custom sources. Splunk Enterprise Security includes a selection of threat intelligence sources, and it also supports multiple types of threat intelligence so that you can add your own threat intelligence.
Splunk Enterprise Security includes several intelligence sources that retrieve information across the internet. You must turn on intelligence source integrations to begin ingesting the intelligence data and using it in your security investigations.
The following threat intelligence sources are turned on by default:
- Mozilla Public Suffix List
- MITRE ATT&CK Framework
- ICANN Top-level Domains List
Turn on intelligence sources
To turn on intelligence source integrations for threat intelligence management, complete the following steps:
Prerequisites
- Your Splunk Enterprise deployment must be connected to the internet. If your deployment is not connected to the internet, turn off these sources or source them in an alternate way.
- To set up firewall rules for these sources, you might want to use a proxy server to collect the intelligence before forwarding it to Splunk Enterprise Security and allow the IP address for the proxy server to access Splunk Enterprise Security. The IP addresses for these sources can change. See Configure proxy server settings.
Steps
- In Splunk Enterprise Security, select Configure and then Intelligence.
- In the Threat intelligence management section, select Threat intelligence sources.
- Toggle the Status switch to On.
- Review the Description field for all defined intelligence sources to learn more about the types of information or threat indicators that can be correlated with your events.
- Configure the intelligence sources that are turned on and fit your security use cases using the URLs to the source websites to review the source provider's documentation. Each source website provides suggestions for polling intervals and other configuration requirements separate from Splunk Enterprise Security.
Splunk Enterprise Security expects all intelligence sources to provide properly-formatted data and valuable intelligence information. Feed providers are responsible for malformed data or false positives that might be identified in your environment as a result.
To see a reference table of the available sources, see Available threat intelligence and generic intelligence sources included in Splunk Enterprise Security.
If you determine that your Splunk Enterprise Security installation is retrieving data from unexpected IP addresses, perform a WHOIS or nslookup to determine if the IP address matches that of one of the intelligence sources configured in your environment.
Add new intelligence sources
Administrators can add threat intelligence sources to Splunk Enterprise Security by downloading a feed from the internet, uploading a structured file, or inserting the threat intelligence directly from events in Splunk Enterprise Security.
Add new intelligence sources using any of the following methods:
- Add a URL-based intelligence source
- Add a TAXII feed
- Upload a STIX or OpenIOC structured threat intelligence file
- Upload a custom CSV file of threat intelligence
- Add threat intelligence from Splunk events
- Add and maintain threat intelligence locally
- Add threat intelligence with a custom lookup file
- Upload threat intelligence using REST API
After you add new intelligence sources, make sure you verify them.
Verify your threat intelligence sources
After you add new intelligence sources or configure included intelligence sources using the threat intelligence management system, verify that the intelligence is being parsed successfully and that threat indicators are being added to the threat intelligence KV Store collections. The modular input responsible for parsing intelligence runs every 12 hours. This verification procedure is relevant only for URL-based sources and TAXII feeds.
Follow these steps to verify that intelligence source data is being parsed successfully:
- In Splunk Enterprise Security, select Security analytics then Audit and then Threat intelligence audit.
- Find the intelligence source and confirm that the download_status column states threat list downloaded.
For TAXII feeds, the UI states Retrieved document from TAXII feed. - Review the Intelligence audit events to see if there are errors associated with the lookup name.
If the download fails, attempt the download directly from the terminal of the Splunk server using a curl or wget utility. If the intelligence source can be successfully downloaded using one of these utilities, but is not being downloaded successfully in Splunk Enterprise Security, ask your system administrator whether you need to specify a custom user-agent string to bypass network security controls in your environment.
Follow these steps to verify that threat indicators are being added to KV store collections:
- Select Security analytics then Security intelligence then Threat Intelligence and then Threat artifacts.
- Search for the threat source name in the Intel Source ID field.
- Confirm that threat indicators exist for the threat source.
Configure parse modifier settings
When threat intelligence data is ingested, fields are often embedded within each other. By configuring threat list settings you can separate the fields. Extraction of field and their corresponding values is based on when threat documents are processed and written to their respective threat collections. Configure parse modifier settings to extract fields from the threat intelligence data.
Steps
- In Splunk Enterprise Security, select Configure and then Intelligence.
- In the Threat intelligence management section, select Proxy and parser settings.
- You have the option to turn on any of the following parse modifier settings:
- Certificate attribute breakout
- IDNA encode domains
- Parse domain from URL
- Turn on the parse modifier setting based on your requirements.
Turn on Certificate attribute breakout to parse fields in the
certificate_issuer
and thecertificate_subject
fields.
For example: A raw certificate issuer field might be a single string as follows:
C = US, ST = CA, L = San Francisco, O = The Company Name, OU = The Organizational Unit Name, CN = The common name, emailAddress = theemailaddress@email.gov, STREET=123 main street
Multiple other potential fields may exist within this single string. When you parse fields in thecertificate_issuer
fields by activating the Certificate attribute breakout parse modifier, all extra fields are parsed from the rawcertificate_issuer
field and stored into their own fields in the collection as follows:- 'certificate_issuer_common_name': 'The common name',
- 'certificate_issuer_email': 'theemailaddress@email.gov',
- 'certificate_issuer_locality': 'San Francisco',
- 'certificate_issuer_organization': 'The Company Name',
- 'certificate_issuer_state': 'CA',
- 'certificate_issuer_street': '123 main street',
- 'certificate_issuer_unit': 'The Organizational Unit Name'
certificate_subject field
fields by activating the Certificate attribute breakout parse modifier, parsing occurs as follows:- 'certificate_subject_common_name': 'The common name',
- 'certificate_subject_email': 'theemailaddress@email.gov',
- 'certificate_subject_locality': 'San Francisco',
- 'certificate_subject_organization': 'The Company Name',
- 'certificate_subject_state': 'CA',
- 'certificate_subject_street': '123 main street',
- 'certificate_subject_unit': 'The Organizational Unit Name'
domain
field.
If you want to extract a hostname from a URL, turn on Parse domain from URL. Turn on the Parse domain from URL to parse thedomain
field from theurl
field.
Configure cloud-hosted threat intelligence data source integrations
Activating the data source integrations imports data into the threat intelligence management (cloud) system. After you import data into the cloud system, you can use it in threat-matching searches and also to enrich investigations.
Follow these steps to activate the cloud-hosted threat intelligence data sources:
- In Splunk Enterprise Security, select the Configure page and then Threat intelligence.
- Select Threat intelligence sources.
- (Optional) To apply a filter, such as Type or Status, to the sources table, select the column header of the field you want to filter by. Not all fields are filterable. You can see sorting and filtering options for a field by selecting the down arrow icon ( ) in the column header. Fields that aren't filterable don't have a filter menu with check boxes.
Many of the intelligence sources are available immediately upon activation, but certain paid and proprietary intelligence sources are only available after validation of API keys and credentials.
- For an open intelligence source, select Activate. See Available open intelligence sources for Splunk Enterprise Security for a listing of all free OSINT sources available through the cloud threat intelligence system and the types of indicators they report about.
- For a premium intelligence source, select Activate.
- Enter the required credentials. To find the requirements for each available premium intelligence source, see Available premium intelligence sources for Splunk Enterprise Security.
- Select Yes, confirm to confirm your credentials.
- Repeat the process for all the threat intelligence sources that you want to activate.
- (Optional) To deactivate a source, select the source you want, and then select Deactivate.
If an intelligence source indicates "Activation failed", check for expired API credentials or for an overdue subscription payment. You might need to deactivate the source, enter new credentials, and then activate the source again.
After you activate sources, you can configure threat lists for threat-matching automation and investigation enrichment. See Configure threat lists in Splunk Enterprise Security.
Configure proxy server settings in Splunk Enterprise Security | Add new threat intelligence sources in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!