Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: How to download threat lists with a customized Authorization HTTP header?

Engager

Have external threat lists to download. With them it is required to send a customized Authorization header. And no, it's not HTTP basic auth. I get a text string by the list provider and the HTTP GET request needs to have a header in the format "Authorization: thisstring". Thus I cannot use the user/password field in the configuration settings of the threat list, as they would be translated into HTTP basic auth. I need to specify the plain Authorization header, without any translation/interpretation applied.

Is there any way to do this natively in the Splunk Enterprise Security? As of now, I was using a customized Python script to do the requests. However, would be much nicer having a native feature built into the ES.

Highlighted

Re: Splunk Enterprise Security: How to download threat lists with a customized Authorization HTTP header?

Communicator

Same story here- i just opened an enhancement request CASE [422547].

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to download threat lists with a customized Authorization HTTP header?

Splunk Employee
Splunk Employee

This is not currently a feature (as of ES=4.5.1).
Enhancement request SOLNESS-11111 logged to get this added.

Current suggested workaround is an external script as per:
http://blogs.splunk.com/2014/03/10/custom-threat-feed-integration-with-enterprise-security/

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to download threat lists with a customized Authorization HTTP header?

New Member

Was this feature added as of version 5.3.0 ?

0 Karma