Has anybody incorporated Ransomwaretracker (https://ransomwaretracker.abuse.ch/feeds/csv/) as a Threat Intelligence Feed in Splunk Enterprise Security?
I am wondering if someone could share settings used for Parsing Options:
Easy enough to do. Go to "Data Inputs" in Splunk and click "Add new" in the "Threat Intelligence Downloads" row. You'll need to do this twice, once for IP and once for Domains.
For the main fields to pull in IP addresses
type = threatlist Description = "Ransomeware IPs" (or whatever you please) URL = https://ransomwaretracker.abuse.ch/feeds/csv/ Delimiting regular expression = , (this should be the default, just check it's there) Fields = description:$2,ip:$8
For the main fields to pull in the Domains
type = threatlist Description = "Ransomeware domains" (or whatever you please) URL = https://ransomwaretracker.abuse.ch/feeds/csv/ Delimiting regular expression = , (this should be the default, just check it's there) Fields = description:$2,domain:$4
If you want to concatenate fields for the description you can also do something like this:
Note that will introduce some additional "" characters, but it will possibly be more useful (show C2 locky, insteady of just C2, or Locky).
Hopefully that helps! Also if you want to understand whats going on, the $1 is just a token for the field in the delimited data. Field 1 is $1, Field 2 is $2, etc. etc. Also note that each lookup requires specific field names for each threat collection. The quick way to view them is to use
| inputlookup and then any of the following:
Here is my configuration options and results I am seeing in ip_intel lookup. It seems to be wrong ....
Type: threatlist URL: https://ransomwaretracker.abuse.ch/feeds/csv/ Weight: 1 Delimiting regular expression: , Fields: description:$4,ip:$8,domain:$5 Ignoring regular expression: (^#|^\s*$) Skip Header lines: 0
You have to break it up into two inputs as you can't combine the ip and domain fields into the same fields line.
Can you paste in your stanza entry for this? It should be in etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf
The naming convention should be similar to:
Here is the stanza (...\etc\apps\SplunkEnterpriseSecuritySuite\local\inputs.conf). I disabled it for now since it is not working correctly:
delimregex = ,
description = Ransomware Tracker IP
fields = description:$3,ip:$8
ignoreregex = (^#|^\s*$)
interval = 43200
retries = 3
retryinterval = 60
skipheader_lines = 0
timeout = 30
type = threatlist
url = https://ransomwaretracker.abuse.ch/feeds/csv/
weight = 1
disabled = 1