Splunk Enterprise Security

Splunk Enterprise Security: How to use a downloaded threat intelligence source as a lookup?

Olivier44
Explorer

Hello,

I added a new threat intelligence source in Splunk Enterprise Security (https://ransomwaretracker.abuse.ch/feeds/csv/ ). The download works fine and the list is stored in /opt/splunk/etc/aps/SA-TreatIntelligence/local/data. Then the list is included in the threat collection 'ip_intel' but at this step, I lose important information which is in the list, but not in the collection.

So I would like to use the downloaded list as a lookup. I tried to create a lookup in SA-ThreatIntelligence/lookpus/ and modified some parameters, but no data is copied in.

Any idea on how to do that?

PS: I am using Splunk 6.2.4 and ES 3.3.2

vinod50rao
New Member

Hi Team,

I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is

index=firewall[| inputlookup iblocklist_tor.csv]

but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.

Thanks!
Vinod Yadav

0 Karma

vinod50rao
New Member

Hi Team,

I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is

index=firewall[| inputlookup iblocklist_tor.csv]

but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.

Thanks!
Vinod Yadav,Hi Team,

I'm also using splunk enterprise, i have enabled few in built threat intel source,let say iblocklist_tor. I'm seeing the file is getting downloaded with a delimiter as(:). How can i lookup the list of IP addresses in my firewall logs.

I'm trying to search like

index=firewall[| inputlookup iblocklist_tor.csv]

but not getting any event hit. can you please help me out with the steps what i'm missing here.

Thanks!
Vinod Yadav

0 Karma

aholzel
Communicator

I think the info you miss is in an other intel list you can try the all_threat_intel macro to see if you can find the info you are looking for. In the column threat_collection you can find list/macro that the info is in.

0 Karma

Olivier44
Explorer

I already used the all_threat_intel macro but I miss information too. The list I download has 9 fields and I need them all. (Firstseen (UTC),Threat,Malware,Host,URL,Status,Registrar,IP address(es),ASN(s),Country)

0 Karma

kerryc
Explorer

Hi Oliver, did you ever get round to solving this?

I'm having the same issue with http://ransomwaretracker.abuse.ch/feeds/csv/

I've tried renaming the fields using regex and the field transforms, but no luck so far!

0 Karma

Olivier44
Explorer

Hello, I have not resolved this issue. I am still in the same version of Splunk but may be it is better in the last versions...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...