I need to manipulate some fields in the URL threat match search in Splunk ES 6.4, but am at a loss as for how to do so. When viewing the SPL at ES-> Data Enrichment -> Threat Intelligence Management -> Threat Matching , any changes I make to the SPL are not saved, and when I grep for snippits of the threat match search in the splunk/etc directory, I can't find where they are stored.
Our cloud-based web proxy logs does not include the protocol header in the URL field. Since the Web data model requires this and several of our custom threat intelligence sources include this, we need to bridge the gap in order to perform threat matches from the Web.url and Web.http_referrer fields against threat intelligence. Previously, I had directly edited the Threat - URL Matches - Threat Gen search included some eval statements just before the threat_intel lookups to make the Web.url field into an mvfield including the three protocol headers we see in our threat intelligence, then mvjoining them into one field for whitelisting later on.
Here's my additions to the original threat gen search:
| eval url=mvappend("http://".url, "https://".url, "ftp://".url)
| extract domain_from_url
| `threatintel_url_lookup(url)`
| `threatintel_domain_lookup(url_domain)`
| eval url=mvjoin(url, " ")
It wasn't the prettiest solution, but it was the only one we could come up with to get URL matches out of the Threat Intelligence framework.
Since the old threat gen searches are deprecated, I replicated this effort with the code shown for the URL threat match search found at ES-> Data Enrichment -> Threat Intelligence Management -> Threat Matching
| eval Web.url=mvappend("http://".'Web.url', "https://".'Web.url', "ftp://".'Web.url')
| lookup "threatintel_by_url" value as "Web.url" OUTPUT threat_collection as tc0,threat_collection_key as tck0
| lookup "threatintel_by_url_wildcard" value as "Web.url" OUTPUT threat_collection as tc1,threat_collection_key as tck1
| eval Web.url=mvjoin('Web.url', " ")
However, I need to save my new version of the threat match search over the existing one. As stated above, I'm not sure how to do this. It seems like the SPL shown at ES-> Data Enrichment -> Threat Intelligence Management -> Threat Matching may be generated based on the various GUI options that are user-configurable. If this is the case, how can I ensure that my Web Proxy logs can be processed through the threat intelligence framework?
I resolved this issue by editing the Lookup Gen searches instead. I created a new macro and invoked it twice in each Lookup Gen search, once for url and once for http_referrer (just before they get mvjoined together), and it now generates the URL threat intel lookups without the protocol headers, and things are matching up the way they need to.
rex field=$url$ "((?<url_protocol>[a-zA-Z]*:\/\/))?(?<$url$>.*)" | fields - url_protocol
Hope this helps if anyone else has the same issue.