Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Can I use a dynamic threat intelligence CSV file as a lookup to compare with firewall IPs?

sumitkathpal
Explorer
‎12-05-2016 10:45 PM

Hi All,

Here is the scenario:

Currently we are using custom threat intelligence in Splunk Enterprise Security to download the CSV file (Threat Intelligence from internet) which gets downloaded in path C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\local\data\threat_intel\ filename.csv and gets updated every 1 hour.

Now we need to use this filename.csv (which is dynamic file as it get automatically updated).

Can I use this dynamic file as a lookup to compare with firewall IP (If yes what are the steps to use the path mentioned above), as we are developing our app for threat intelligence? Or are there other options we can use?

Thanks in advance 🙂

Happy Splunking

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎12-08-2016 10:52 AM

You could use the entire threat framework to do this. Make sure the threat intel download settings are correctly pulling into the ip_intel threat collection. The key is making sure the fields value is configured correctly. If I had a comma delimited file with description, ip the fields value might look like ip:$2 and the delimiter is ,

Once the data comes in cleanly to threat artifacts the lookup gen and threat gen will handle the data just like the built in threat intel and the data gets correlated with all logs not just firewall. Additional refinement could then be done to limit to just firewall.

There are other ways to solve it but this can leverage all the development that is already in place.

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎12-06-2016 01:52 PM

Hi

have you seen/followed this link http://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists
specifically the "Adding a custom source", choosing a ip type

and yes, you can use it as a lookup, in ES dashboard, ...

0 Karma
Reply

sumitkathpal
Explorer
‎12-06-2016 03:31 AM

Any update guys ........................................

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...