Have external threat lists to download. With them it is required to send a customized Authorization header. And no, it's not HTTP basic auth. I get a text string by the list provider and the HTTP GET request needs to have a header in the format "Authorization: thisstring". Thus I cannot use the user/password field in the configuration settings of the threat list, as they would be translated into HTTP basic auth. I need to specify the plain Authorization header, without any translation/interpretation applied.
Is there any way to do this natively in the Splunk Enterprise Security? As of now, I was using a customized Python script to do the requests. However, would be much nicer having a native feature built into the ES.
This is not currently a feature (as of ES=4.5.1).
Enhancement request SOLNESS-11111 logged to get this added.
Current suggested workaround is an external script as per:
http://blogs.splunk.com/2014/03/10/custom-threat-feed-integration-with-enterprise-security/
Was this feature added as of version 5.3.0 ?
Same story here- i just opened an enhancement request CASE [422547].