Splunk Enterprise Security

Splunk Enterprise Security: Where do I specify _key field in the curl command for Threat API?

Engager

I am trying to search the ip_intel kvstore for threat intelligence for an IP that I know is already there. I'm just trying to test out the Threat intelligence API based off:

http://docs.splunk.com/Documentation/ES/4.7.2/API/ThreatIntelligenceAPIreference#.2Fservices.2Fdata....

I attempt to use what is in this guide to perform a query for the IP in this kvstore using the following:

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel -d item='{"ip":"10.10.1.1"}' -G -X GET    

Response I get from Splunk Enterprise Security 4.7.2 is the following:

{"message": "Found an invalid record in item list. Each record must have _key field.", "status": false}

In the documentation in the link, it lists that this may happen, but it does not show an example curl command where this "key" field is actually used. I was wondering if anyone has done this and gotten it to work. It is driving me mad. I know this IP exists in this kvstore, but how do I get this API to pull it back?

0 Karma

Splunk Employee
Splunk Employee

I've checked in with our dev team and it shouldn't be necessary to provide the _key for this get operation. We already have this identified as an issue to fix in the next maintenance release, which should be 4.7.3. We haven't set a date for that yet, but it will be upcoming this fall. In the meantime, best to follow Kyle's much more currently useful advice.

Splunk Employee
Splunk Employee

The API is a little tricky as there is a set of "key" values that are not rendered in the Splunk UI by default. The other thing is the "GET" example is overly complex and incomplete. As an example
curl -k -u 'admin:changeme' https://:8089/services/data/threat
intel/item/ipintel/advip_all|1.0.0.1

The GET request should basically just have the collection name for the associated indicator (ipintel, fileintel, httpintel, etc), and then you need to append the _key value. Per the example above, this can be a pipe separated value (remember to escape the pipe or URL encode, depending on how you're making the request). The way you can get the key is documented in the docs examples, but for ip intel you can run this search to get a list of keys:
| `ip
intel` | eval itemkey=key

As you can tell the actual indicator and _key value are munged together via that pipe separator. I'm not sure if this is always the case, but hopefully this will get you started.