Splunk Enterprise Security
Highlighted

Has anybody incorporated Ransomwaretracker as a Threat Intelligence Feed in Splunk Enterprise Security?

Path Finder

Has anybody incorporated Ransomwaretracker (https://ransomwaretracker.abuse.ch/feeds/csv/) as a Threat Intelligence Feed in Splunk Enterprise Security?

I am wondering if someone could share settings used for Parsing Options:

  • Extracting regular expression
  • Fields
  • Ignoring regular expression
  • Skip header lines
0 Karma
Highlighted

Re: Has anybody incorporated Ransomwaretracker as a Threat Intelligence Feed in Splunk Enterprise Security?

Splunk Employee
Splunk Employee

Easy enough to do. Go to "Data Inputs" in Splunk and click "Add new" in the "Threat Intelligence Downloads" row. You'll need to do this twice, once for IP and once for Domains.

For the main fields to pull in IP addresses

type = threatlist
Description = "Ransomeware IPs" (or whatever you please)
URL = https://ransomwaretracker.abuse.ch/feeds/csv/
Delimiting regular expression = , (this should be the default, just check it's there)
Fields = description:$2,ip:$8

For the main fields to pull in the Domains

type = threatlist
Description = "Ransomeware domains" (or whatever you please)
URL = https://ransomwaretracker.abuse.ch/feeds/csv/
Delimiting regular expression = , (this should be the default, just check it's there)
Fields = description:$2,domain:$4

If you want to concatenate fields for the description you can also do something like this:
description:"$2 $3"

Note that will introduce some additional "" characters, but it will possibly be more useful (show C2 locky, insteady of just C2, or Locky).

Hopefully that helps! Also if you want to understand whats going on, the $1 is just a token for the field in the delimited data. Field 1 is $1, Field 2 is $2, etc. etc. Also note that each lookup requires specific field names for each threat collection. The quick way to view them is to use | inputlookup and then any of the following:

certificateintel
email
intel
fileintel
http
intel
ipintel
process
intel
registryintel
service
intel
user_intel

Highlighted

Re: Has anybody incorporated Ransomwaretracker as a Threat Intelligence Feed in Splunk Enterprise Security?

Path Finder

Here is my configuration options and results I am seeing in ip_intel lookup. It seems to be wrong ....

Type: threatlist
URL: https://ransomwaretracker.abuse.ch/feeds/csv/
Weight: 1
Delimiting regular expression: ,
Fields: description:$4,ip:$8,domain:$5
Ignoring regular expression: (^#|^\s*$)
Skip Header lines: 0

alt text

0 Karma

Re: Has anybody incorporated Ransomwaretracker as a Threat Intelligence Feed in Splunk Enterprise Security?

Splunk Employee
Splunk Employee

You have to break it up into two inputs as you can't combine the ip and domain fields into the same fields line.

0 Karma
Highlighted

Re: Has anybody incorporated Ransomwaretracker as a Threat Intelligence Feed in Splunk Enterprise Security?

Path Finder

I have tried separating domain and ip but still no luck.

Fields : description:$3,ip:$8

The lookup is not getting populated:
alt text

0 Karma
Highlighted

Re: Has anybody incorporated Ransomwaretracker as a Threat Intelligence Feed in Splunk Enterprise Security?

Splunk Employee
Splunk Employee

Can you paste in your stanza entry for this? It should be in etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf
The naming convention should be similar to:
[threatlist://]

0 Karma
Highlighted

Re: Has anybody incorporated Ransomwaretracker as a Threat Intelligence Feed in Splunk Enterprise Security?

Path Finder

Here is the stanza (...\etc\apps\SplunkEnterpriseSecuritySuite\local\inputs.conf). I disabled it for now since it is not working correctly:

[threatlist://RansomwareTracker IP]
delimregex = ,
description = Ransomware Tracker IP
fields = description:$3,ip:$8
ignore
regex = (^#|^\s*$)
interval = 43200
retries = 3
retryinterval = 60
skip
header_lines = 0
timeout = 30
type = threatlist
url = https://ransomwaretracker.abuse.ch/feeds/csv/
weight = 1
disabled = 1

0 Karma
Highlighted

Re: Has anybody incorporated Ransomwaretracker as a Threat Intelligence Feed in Splunk Enterprise Security?

Path Finder

ive tracked this down to a char set problem
file lands on the splunk server UTF8 unicode
attaching some screen caps showing the bad chars
alt text

0 Karma