Splunk Enterprise Security

Splunk Enterprise Security: Can you explain more about the configuration for Threat Intelligence?

Builder

We have this config:

[threatlist://ransomwareipblocklist]
delimregex = :
description = abuse.ch Ransomware Blocklist
disabled = false
**fields = ip:$1,description:Ransomware
ipblocklist**
type = threatlist
url = https://ransomwaretracker.abuse.ch/downloads/RW
IPBL.txt

Why we wrote there $1? What it's mean? (Yes, it's mean IP, it's regular that will pars all IP?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

$1 is the value for the ip field. Refer to documentation here : http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Downloadthreatfeed

View solution in original post

Splunk Employee
Splunk Employee

$1 is the value for the ip field. Refer to documentation here : http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Downloadthreatfeed

View solution in original post