Splunk Enterprise Security

ESS 1.1.2 lookups

rroberts
Splunk Employee
Splunk Employee

What lookups do external calls in the ESS 1.1.2 app?

0 Karma
1 Solution

rroberts
Splunk Employee
Splunk Employee

SANS block list

[sans_blocklist_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=sans_blocklist.csv
external_type = python
fields_list = src,src_ip,src_is_sans,src_country,dest,dest_ip,dest_is_sans,dest_country

bogon list

[bogonlist_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=bogonlist.csv
external_type = python
fields_list = src,src_ip,src_is_bogon,src_is_internal,dest,dest_ip,dest_is_bogon,dest_is_internal

spyware associated IP address list

[ip_spyware_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_spywarelist.csv
external_type = python
fields_list = src,src_ip,src_description,src_is_spyware,dest,dest_ip,dest_description,dest_is_spyware

proxy associated IP address list

[ip_proxy_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_proxylist.csv
external_type = python
fields_list = src,src_ip,src_is_proxy,dest,dest_ip,dest_is_proxy

web-attacker associated IP address list

[ip_webattacker_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_webattackerlist.csv
external_type = python
fields_list = src,src_ip,src_description,src_is_web_attacker,dest,dest_ip,dest_description,dest_is_web_attacker

RapidShare associated IP address list

[ip_rapidshare_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_rapidsharelist.csv
external_type = python
fields_list = src,src_ip,src_is_rapidshare,dest,dest_ip,dest_is_rapidshare

LogMeIn associated IP address list

[ip_logmein_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_logmeinlist.csv
external_type = python
fields_list = src,src_ip,src_is_logmein,dest,dest_ip,dest_is_logmein

PirateBay associated IP address list

[ip_piratebay_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_piratebaylist.csv
external_type = python
fields_list = src,src_ip,src_is_piratebay,dest,dest_ip,dest_is_piratebay

Tor associated IP address list

[ip_tor_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_torlist.csv
external_type = python
fields_list = src,src_ip,src_is_tor,dest,dest_ip,dest_is_tor

Prohibited services

[prohibited_services_lookup]

filename = prohibited_services.csv

Prohibited processes

[prohibited_processes_lookup]

filename = prohibited_processes.csv

View solution in original post

0 Karma

rroberts
Splunk Employee
Splunk Employee

SANS block list

[sans_blocklist_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=sans_blocklist.csv
external_type = python
fields_list = src,src_ip,src_is_sans,src_country,dest,dest_ip,dest_is_sans,dest_country

bogon list

[bogonlist_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=bogonlist.csv
external_type = python
fields_list = src,src_ip,src_is_bogon,src_is_internal,dest,dest_ip,dest_is_bogon,dest_is_internal

spyware associated IP address list

[ip_spyware_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_spywarelist.csv
external_type = python
fields_list = src,src_ip,src_description,src_is_spyware,dest,dest_ip,dest_description,dest_is_spyware

proxy associated IP address list

[ip_proxy_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_proxylist.csv
external_type = python
fields_list = src,src_ip,src_is_proxy,dest,dest_ip,dest_is_proxy

web-attacker associated IP address list

[ip_webattacker_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_webattackerlist.csv
external_type = python
fields_list = src,src_ip,src_description,src_is_web_attacker,dest,dest_ip,dest_description,dest_is_web_attacker

RapidShare associated IP address list

[ip_rapidshare_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_rapidsharelist.csv
external_type = python
fields_list = src,src_ip,src_is_rapidshare,dest,dest_ip,dest_is_rapidshare

LogMeIn associated IP address list

[ip_logmein_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_logmeinlist.csv
external_type = python
fields_list = src,src_ip,src_is_logmein,dest,dest_ip,dest_is_logmein

PirateBay associated IP address list

[ip_piratebay_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_piratebaylist.csv
external_type = python
fields_list = src,src_ip,src_is_piratebay,dest,dest_ip,dest_is_piratebay

Tor associated IP address list

[ip_tor_lookup]

external_cmd = assetLookup.py assetFields=src,dest debug=False app=SA-ThreatIntelligence file=ip_torlist.csv
external_type = python
fields_list = src,src_ip,src_is_tor,dest,dest_ip,dest_is_tor

Prohibited services

[prohibited_services_lookup]

filename = prohibited_services.csv

Prohibited processes

[prohibited_processes_lookup]

filename = prohibited_processes.csv

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...