Splunk Enterprise Security: How to download threat...

thomasbader · ‎11-11-2016

Have external threat lists to download. With them it is required to send a customized Authorization header. And no, it's not HTTP basic auth. I get a text string by the list provider and the HTTP GET request needs to have a header in the format "Authorization: thisstring". Thus I cannot use the user/password field in the configuration settings of the threat list, as they would be translated into HTTP basic auth. I need to specify the plain Authorization header, without any translation/interpretation applied.

Is there any way to do this natively in the Splunk Enterprise Security? As of now, I was using a customized Python script to do the requests. However, would be much nicer having a native feature built into the ES.

bohanlon_splunk · ‎12-12-2016

This is not currently a feature (as of ES=4.5.1).
Enhancement request SOLNESS-11111 logged to get this added.

Current suggested workaround is an external script as per:
http://blogs.splunk.com/2014/03/10/custom-threat-feed-integration-with-enterprise-security/

jacob911 · ‎06-03-2019

Was this feature added as of version 5.3.0 ?

claudio_manig · ‎12-01-2016

Same story here- i just opened an enhancement request CASE [422547].

Splunk Enterprise Security: How to download threat lists with a customized Authorization HTTP header?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk