Splunk ES Content Updates- Keeping it up to date

ttokkaris1 · ‎10-29-2020

I need to allow the Splunk ES SH to access the Internet to allow the Splunk ES Use Cases / Content updates to be updated and kept up to date.

Does anyone know if the URL(s) and port(s) that the Splunk ES Search head needs to access?

Same question goes on Threat Intel downloads. Are the URLs for the free intel feeds documented anywhere?

Thank you

Azeemering · ‎11-02-2020

Splunk states:

Prerequisites

Your Splunk Enterprise deployment must be connected to the Internet. If your deployment is not connected to the Internet, disable these sources or source them in an alternate way.
To set up firewall rules for these sources, you might want to use a proxy server to collect the intelligence before forwarding it to Splunk Enterprise Security and allow the IP address for the proxy server to access Splunk Enterprise Security. The IP addresses for these sources can change.

So we use a proxy server and whitelist urls in it to download threat intel.

I would not recommend automatic updates of the DA-ESS-ContentUpdate. I do a manual check every month to see if there is an update and download it and apply it to my search heads.

If you just want to open up ports then you need to open your search head to https / port 443 to be able to communicate with the internet.

Splunk ES Content Updates- Keeping it up to date

using Enterprise Security

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...