Splunk Enterprise Security

Splunk Enterprise Security: How to add domains to Threat list to be searched anywhere in URL?

Path Finder

We would like to add domains to the current threat list. I would think I could add to local_intel_domain or local_intel_http to have the domains be found. However, after attempting to add to either, and rebuilding the data model, nothing is found.


0 Karma

Splunk Employee
Splunk Employee

@john.glasscock - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

Splunk Employee
Splunk Employee

As a simple test you can do something like the following:

|makeresults | eval domain="mybaddomain.com" | eval description="my rad descrition" | eval weight=10 | table description, domain, weight | outputlookup append=T local_domain_intel

That will write a line with your bad domain and associated description to the local lookup. From there go to the threat artifacts page (ESS>Security Intelligence>Threat Intelligence>Threat Artifacts)
And then in the dropdown for "Threat Group" select "local_domain_intel". Your values should show up there.
Now at this point, the threat matching correlation search will fire when it sees that domain in your logs, such as proxy logs, etc.

0 Karma

Splunk Employee
Splunk Employee

local_domain_intel would be were you want to put your own domains. You should not need to be rebuild the threat activity datamodel. It is important to understand how the threat intel framework works. Check for your domain in the threat artifact dashboard and verify it is in the domain intelligence panel. This will provide assurance that it loaded properly. The threat intelligence audit dashboard can provide insight into this as well.

There are some additional threat generation searches that will run that will compare new events coming into the system to the threat intel that you have. Those matches are what is written into the threat activity data model and are also triggered via the correlation search. The maintenance searches run on intervals that are defined in the system so that might be another thing to tweak.

If you are looking to add a domain and then look at historical data, that is not the best mechanism to do that. You would want to do a search against the data in question and leverage a lookup, a subsearch could be used for this if you have more than a couple of domains to search against.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...