Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ES Threat Intelligence Download with POST argument

teresachila
Path Finder
‎12-13-2021 02:58 PM

I set up an Intelligence Download for https://threatfox-api.abuse.ch/api/v1  to use with the POST argument. However I am constantly getting the error: 

Caught HTTPError when querying https://threatfox-api.abuse.ch/api/v1: code=405 exc=HTTP Error 405: Method Not Allowed

I also see the log line:

file=threatlist.py:download_csv:333 | status="CSV download starting"

However this url does not return a csv. It will return a json and I am planning to use (?ms) in the extract regex to parse it. Is ES thinking that this is a csv and doing a GET instead of a POST? How do I control that? I have in the UI set the POST argument to be a json string required by the API. I am able to run curl and retrieve the output from this url.

Labels (1)
Labels
0 Karma
Reply

ownion
Path Finder
‎11-29-2022 03:27 AM

Dear @teresachila,

the API you are calling is returning results on a JSON format, in order to work maybe you have to set up a scripted input to fetch the data and then create a saved search to populate a lookup and reference this lookup in the Threat Intelligence Management

Or you can configure directly in the Threat Intelligence Management a new "Threat Intelligence Source" and use the link in the "download" label to ingest the type of data you need based on:

  • URLs
  • Domains
  • IP-Port
  • MD5 Hashes
  • SHA256 Hashes
  • Or Full data dump (all above joined toghether)

both in recent addition or full data dump, from this link https://threatfox.abuse.ch/export/#csv in a CSV mode.

Let me know if this solve your issue.

0 Karma
Reply

teresachila
Path Finder
‎12-15-2021 12:53 PM

I modified my POST argument format to be xx=yy and the 405 Method Not Allowed error is gone. However then it said no indicator found in the downloaded file. Unfortunately I can't see what is downloaded, and I can't tell if my POST arguments were accepted by the server. I am giving up trying to set this up in ES. Thanks for your help though.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎12-13-2021 04:47 PM

Hi @teresachila 

Threat intel supports POST you could check here - https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Downloadthreatfeed

The formats JSON seems not supported yet- this is the old post however still a good alternative solution for JSON -> https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Is-there-a-way...

The above said url expects POST method, without POST arguments threat intel inputs might be assuming as GET method. 

{
    "query_status": "http_post_expected",
    "data": "The API expects a HTTP POST request"
}

---

An upvote would be appreciated if this reply helps!

 

Reply
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...