Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Threat Intel: Add threat intelligence from Splunk events

0xAli
Explorer
2 weeks ago

Hi Everyone,

We have integrated Crowdstrike falcon with splunk and we retrieved the IOC in index=cs_ioc.

Using the below search to arrange table with ip description :

index="cs_ioc" type="ip_address" deleted=false (malicious_confidence="high" OR malicious_confidence="medium") earliest=-30d@d latest=now
| dedup indicator
| rename indicator as ip
| eval description="Imported from cs_ioc feed"
| table ip description
| outputlookup local_ip_intel append=f


Verify the SPL works fine:

2026-04-22_063246.png

Following this article to enrich the threat intel:

https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.4/threat-intelligence/add-new-t...

 

You can also, write a search that produces a list of IP addresses that are testing a web server for vulnerabilities and add them to the local_ip_intel lookup to be processed by the modular input and added to the ip_intel KV Store collection.


Verify the following SPL to ensure the IOCs moves from local_ip_intel into ip_intel:

| inputlookup ip_intel  

There is no data


Q:- I want to troubleshoot "Why this modular input doesnt work properly"?

Note: ES Threat intel is Enabled

2026-04-22_064254.png

0 Karma
Reply

0xAli
Explorer
a week ago

Strange Behavior:

status="Wrote records to collection" collection="ip_intel" count="15034" stanza="local_domain_intel"
2026-04-25 22:15:31,319+0000 INFO pid=2827164 tid=MainThread file=threatlist.py:run:832 | status="continuing" msg="Processing stanza" name="threatlist://local_domain_intel"
2026-04-25 22:15:31,667+0000 INFO pid=2827164 tid=MainThread file=get_parser.py:_detect_file_type:119 | stanza="local_domain_intel" status="Automatically detected CSV parsing for file_path /opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/lookups/local_domain_intel.csv"
2026-04-25 22:15:31,695+0000 INFO pid=2827164 tid=MainThread file=add_threat_workload.py:_parse_intel:300 | status="Processing intelligence document" stanza="local_domain_intel" path="/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/lookups/local_domain_intel.csv" doc_id="local_domain_intel" hash_value="82cf6144806ac922a66567fca8a081b88c65fb09"
2026-04-25 22:15:35,703+0000 INFO pid=2827164 tid=MainThread file=add_threat_workload.py:_parse_intel:327 | status="Wrote records to collection" collection="ip_intel" count="15034" stanza="local_domain_intel"

 

0 Karma
Reply

0xAli
Explorer
a week ago 
[threatlist://local_ip_intel]
debug = false
delim_regex = ,
file_parser = auto
ignore_regex = (^#|^\s*$)
interval = 300
is_threatintel = true
max_age = -30d
max_size = 52428800
skip_header_lines = 0
weight = 60
#workloads = []
disabled = 0
#workloads = []

It's resolved by commenting the workload = []

0 Karma
Reply

0xAli
Explorer
2 weeks ago

@community 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...