Splunk Enterprise Security

Splunk Enterprise Security: How to use a downloaded threat intelligence source as a lookup?

Olivier44
Explorer

Hello,

I added a new threat intelligence source in Splunk Enterprise Security (https://ransomwaretracker.abuse.ch/feeds/csv/ ). The download works fine and the list is stored in /opt/splunk/etc/aps/SA-TreatIntelligence/local/data. Then the list is included in the threat collection 'ip_intel' but at this step, I lose important information which is in the list, but not in the collection.

So I would like to use the downloaded list as a lookup. I tried to create a lookup in SA-ThreatIntelligence/lookpus/ and modified some parameters, but no data is copied in.

Any idea on how to do that?

PS: I am using Splunk 6.2.4 and ES 3.3.2

vinod50rao
New Member

Hi Team,

I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is

index=firewall[| inputlookup iblocklist_tor.csv]

but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.

Thanks!
Vinod Yadav

0 Karma

vinod50rao
New Member

Hi Team,

I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is

index=firewall[| inputlookup iblocklist_tor.csv]

but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.

Thanks!
Vinod Yadav,Hi Team,

I'm also using splunk enterprise, i have enabled few in built threat intel source,let say iblocklist_tor. I'm seeing the file is getting downloaded with a delimiter as(:). How can i lookup the list of IP addresses in my firewall logs.

I'm trying to search like

index=firewall[| inputlookup iblocklist_tor.csv]

but not getting any event hit. can you please help me out with the steps what i'm missing here.

Thanks!
Vinod Yadav

0 Karma

aholzel
Communicator

I think the info you miss is in an other intel list you can try the all_threat_intel macro to see if you can find the info you are looking for. In the column threat_collection you can find list/macro that the info is in.

0 Karma

Olivier44
Explorer

I already used the all_threat_intel macro but I miss information too. The list I download has 9 fields and I need them all. (Firstseen (UTC),Threat,Malware,Host,URL,Status,Registrar,IP address(es),ASN(s),Country)

0 Karma

kerryc
Explorer

Hi Oliver, did you ever get round to solving this?

I'm having the same issue with http://ransomwaretracker.abuse.ch/feeds/csv/

I've tried renaming the fields using regex and the field transforms, but no luck so far!

0 Karma

Olivier44
Explorer

Hello, I have not resolved this issue. I am still in the same version of Splunk but may be it is better in the last versions...

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...