Splunk Enterprise Security

Has anybody incorporated Ransomwaretracker as a Threat Intelligence Feed in Splunk Enterprise Security?

ttchorz
Path Finder

Has anybody incorporated Ransomwaretracker (https://ransomwaretracker.abuse.ch/feeds/csv/) as a Threat Intelligence Feed in Splunk Enterprise Security?

I am wondering if someone could share settings used for Parsing Options:

  • Extracting regular expression
  • Fields
  • Ignoring regular expression
  • Skip header lines
0 Karma

paulstark
Path Finder

ive tracked this down to a char set problem
file lands on the splunk server UTF8 unicode
attaching some screen caps showing the bad chars
alt text

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

Can you paste in your stanza entry for this? It should be in etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf
The naming convention should be similar to:
[threatlist://]

0 Karma

ttchorz
Path Finder

Here is the stanza (...\etc\apps\SplunkEnterpriseSecuritySuite\local\inputs.conf). I disabled it for now since it is not working correctly:

[threatlist://RansomwareTracker IP]
delim_regex = ,
description = Ransomware Tracker IP
fields = description:$3,ip:$8
ignore_regex = (^#|^\s*$)
interval = 43200
retries = 3
retry_interval = 60
skip_header_lines = 0
timeout = 30
type = threatlist
url = https://ransomwaretracker.abuse.ch/feeds/csv/
weight = 1
disabled = 1

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

Easy enough to do. Go to "Data Inputs" in Splunk and click "Add new" in the "Threat Intelligence Downloads" row. You'll need to do this twice, once for IP and once for Domains.

For the main fields to pull in IP addresses

type = threatlist
Description = "Ransomeware IPs" (or whatever you please)
URL = https://ransomwaretracker.abuse.ch/feeds/csv/
Delimiting regular expression = , (this should be the default, just check it's there)
Fields = description:$2,ip:$8

For the main fields to pull in the Domains

type = threatlist
Description = "Ransomeware domains" (or whatever you please)
URL = https://ransomwaretracker.abuse.ch/feeds/csv/
Delimiting regular expression = , (this should be the default, just check it's there)
Fields = description:$2,domain:$4

If you want to concatenate fields for the description you can also do something like this:
description:"$2 $3"

Note that will introduce some additional "" characters, but it will possibly be more useful (show C2 locky, insteady of just C2, or Locky).

Hopefully that helps! Also if you want to understand whats going on, the $1 is just a token for the field in the delimited data. Field 1 is $1, Field 2 is $2, etc. etc. Also note that each lookup requires specific field names for each threat collection. The quick way to view them is to use | inputlookup and then any of the following:

certificate_intel
email_intel
file_intel
http_intel
ip_intel
process_intel
registry_intel
service_intel
user_intel

ttchorz
Path Finder

I have tried separating domain and ip but still no luck.

Fields : description:$3,ip:$8

The lookup is not getting populated:
alt text

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

You have to break it up into two inputs as you can't combine the ip and domain fields into the same fields line.

0 Karma

ttchorz
Path Finder

Here is my configuration options and results I am seeing in ip_intel lookup. It seems to be wrong ....

Type: threatlist
URL: https://ransomwaretracker.abuse.ch/feeds/csv/
Weight: 1
Delimiting regular expression: ,
Fields: description:$4,ip:$8,domain:$5
Ignoring regular expression: (^#|^\s*$)
Skip Header lines: 0

alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...