RST Threat Feed App for Splunk
About this app
- The App for RST Threat Feed is used to download data from RST Cloud API and saves it into lookups for further usage.
- It provides download/update/cleanup jobs to maintain the lookups on the daily basis
- This App is shipped with 4 general detection rules (alerts) to demonstrate how to use Threat Intelligence data in your searches.
- After the app is installed, you may want to manually run once download/update jobs to initialise the lookups or wait for the scheduled jobs to populate it for you around 02:00 AM UTC
Download the app from https://splunkbase.splunk.com/app/6616 or install it directly from your Splunk console (search for RST Threat Feed App for Splunk). Once the app is ready, a setup wizard is activated and you will need to follow the steps as recommended by the wizard.
To check values from any logs, you can just use simple lookups like that:
| lookup rst_threat_feed_domain_summary ioc_value as domain
| lookup rst_threat_feed_ip_summary ioc_value as dest_ip
| lookup rst_threat_feed_url_summary ioc_value as url
| lookup rst_threat_feed_hash_summary ioc_value as file_hash
- Splunk version 9.0.x, 8.2.x, 8.1.x, 8.0.x
- Python version: python3
- Appropriate API key for collecting data from RST Cloud (send an inquiry to firstname.lastname@example.org or use this link)
- Added RST Threat Feed daily sync support
Uninstall & Cleanup steps
- Remove $SPLUNK_HOME/etc/apps/rstcloud_threatfeed
- To reflect the cleanup changes in UI, restart the Splunk instance
- Authentication Failure:
- Check the network connectivity and make sure that the RST Cloud API is reachable: api.rstcloud.net
- Download failure:
- Check the network connectivity and make sure that Amazon S3 is reachable: profeeds.s3.amazonaws.com