Splunk® Enterprise Security

Administer Splunk Enterprise Security

Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Example: Add a generic intelligence source to Splunk Enterprise Security

As a security analyst, you want to compare hosts seen in your network with the hosts associated with Spotify advertisements so that you can assess the risk that listening to Spotify Free during the work day poses to your network. The hosts associated with Spotify ads are not malicious, and you do not want to add them to Splunk Enterprise Security as threat intelligence. Instead, you can add them as generic intelligence.

Download the generic intelligence

First, create a download configuration for the list.

  1. Select Configure > Data Enrichment > Threat Intelligence Management.
  2. Click New > Line Oriented.
  3. On the General tab, type a Name of spotify_ads.
  4. Deselect the check box for Is Threat Intelligence.
  5. Type a Type of spotify_ads.
  6. Type a Description of Hostnames of machines hosting Spotify ads.
  7. Type a URL of https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts.
  8. (Optional) Change the default Weight.
  9. (Optional) Change the default Interval.
  10. In the Parsing tab, type a delimiting regular expression of \s.
  11. Type Fields of url:$2.
  12. Type an Ignoring regular expression of (^#|^\s*$).
  13. Click Save.

Verify that the intelligence downloads successfully

Using search, verify that the modular input is downloading information from the source.

| inputintelligence no_parse=1 spotify_ads

Verify that the intelligence parses correctly

Use the custom search command inputintelligence to verify that the intelligence parses correctly.

| inputintelligence spotify_ads

If the intelligence does not seem to be parsing correctly, review search.log for any error messages. In addition, you can change the parsing settings for the download using the optional arguments for the inputintelligence command to determine the correct settings. See Use generic intelligence in search with inputintelligence.

Use the new intelligence source in a search

You can use the new intelligence source in many ways in searches.

Use Spotify ads in a subsearch

To return 100 URLs used by Spotify ads in a list with the following subsearch:

| search [| inputintelligence spotify_ads | return 100 url]

Use Spotify ads in join

Join the hosts in the Spotify ads intelligence source with another set of data with join:

... | join url [| inputintelligence spotify_ads | eval spotify_ad="true"] | search spotify_ad="true"

Add Spotify ads to a lookup table file

Add the hosts from Spotify ads to a lookup table file using a lookup generating search:

| inputintelligence spotify_ads | eval spotify_ad="true" | outputlookup spotify_ads.csv

After creating the lookup, use it in search with the following example search:

... | lookup spotify_ads.csv url OUTPUT spotify_ad | search spotify_ad="true"

Last modified on 21 April, 2022
Use generic intelligence in search with inputintelligence   Managing content in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters