Has anybody incorporated Ransomwaretracker (https://ransomwaretracker.abuse.ch/feeds/csv/) as a Threat Intelligence Feed in Splunk Enterprise Security?
I am wondering if someone could share settings used for Parsing Options:
Can you paste in your stanza entry for this? It should be in etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf
The naming convention should be similar to:
[threatlist://]
Here is the stanza (...\etc\apps\SplunkEnterpriseSecuritySuite\local\inputs.conf). I disabled it for now since it is not working correctly:
[threatlist://RansomwareTracker IP]
delim_regex = ,
description = Ransomware Tracker IP
fields = description:$3,ip:$8
ignore_regex = (^#|^\s*$)
interval = 43200
retries = 3
retry_interval = 60
skip_header_lines = 0
timeout = 30
type = threatlist
url = https://ransomwaretracker.abuse.ch/feeds/csv/
weight = 1
disabled = 1
Easy enough to do. Go to "Data Inputs" in Splunk and click "Add new" in the "Threat Intelligence Downloads" row. You'll need to do this twice, once for IP and once for Domains.
For the main fields to pull in IP addresses
type = threatlist
Description = "Ransomeware IPs" (or whatever you please)
URL = https://ransomwaretracker.abuse.ch/feeds/csv/
Delimiting regular expression = , (this should be the default, just check it's there)
Fields = description:$2,ip:$8
For the main fields to pull in the Domains
type = threatlist
Description = "Ransomeware domains" (or whatever you please)
URL = https://ransomwaretracker.abuse.ch/feeds/csv/
Delimiting regular expression = , (this should be the default, just check it's there)
Fields = description:$2,domain:$4
If you want to concatenate fields for the description you can also do something like this:
description:"$2 $3"
Note that will introduce some additional "" characters, but it will possibly be more useful (show C2 locky, insteady of just C2, or Locky).
Hopefully that helps! Also if you want to understand whats going on, the $1 is just a token for the field in the delimited data. Field 1 is $1, Field 2 is $2, etc. etc. Also note that each lookup requires specific field names for each threat collection. The quick way to view them is to use | inputlookup
and then any of the following:
certificate_intel
email_intel
file_intel
http_intel
ip_intel
process_intel
registry_intel
service_intel
user_intel
You have to break it up into two inputs as you can't combine the ip and domain fields into the same fields line.
Here is my configuration options and results I am seeing in ip_intel lookup. It seems to be wrong ....
Type: threatlist
URL: https://ransomwaretracker.abuse.ch/feeds/csv/
Weight: 1
Delimiting regular expression: ,
Fields: description:$4,ip:$8,domain:$5
Ignoring regular expression: (^#|^\s*$)
Skip Header lines: 0