Splunk Enterprise Security

Splunk Enterprise Security: How to download threat lists with a customized Authorization HTTP header?

thomasbader
Engager

Have external threat lists to download. With them it is required to send a customized Authorization header. And no, it's not HTTP basic auth. I get a text string by the list provider and the HTTP GET request needs to have a header in the format "Authorization: thisstring". Thus I cannot use the user/password field in the configuration settings of the threat list, as they would be translated into HTTP basic auth. I need to specify the plain Authorization header, without any translation/interpretation applied.

Is there any way to do this natively in the Splunk Enterprise Security? As of now, I was using a customized Python script to do the requests. However, would be much nicer having a native feature built into the ES.

bohanlon_splunk
Splunk Employee
Splunk Employee

This is not currently a feature (as of ES=4.5.1).
Enhancement request SOLNESS-11111 logged to get this added.

Current suggested workaround is an external script as per:
http://blogs.splunk.com/2014/03/10/custom-threat-feed-integration-with-enterprise-security/

0 Karma

jacob911
New Member

Was this feature added as of version 5.3.0 ?

0 Karma

claudio_manig
Communicator

Same story here- i just opened an enhancement request CASE [422547].

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...