Splunk Integration

RST Threat Feed App for Splunk

About this app

  • The App for RST Threat Feed is used to download data from RST Cloud API and saves it into lookups for further usage.
  • It provides download/update/cleanup jobs to maintain the lookups on the daily basis
  • This App is shipped with 4 general detection rules (alerts) to demonstrate how to use Threat Intelligence data in your searches.
  • After the app is installed, you may want to manually run once download/update jobs to initialise the lookups or wait for the scheduled jobs to populate it for you around 02:00 AM UTC

Installation

Video Tutorial: https://www.youtube.com/watch?v=83s5hHPke2M

Download the app from https://splunkbase.splunk.com/app/6616 or install it directly from your Splunk console (search for RST Threat Feed App for Splunk). Once the app is ready, a setup wizard is activated and you will need to follow the steps as recommended by the wizard.

Usage

To check values from any logs, you can just use simple lookups like that:

| lookup rst_threat_feed_domain_summary ioc_value as domain
| lookup rst_threat_feed_ip_summary ioc_value as dest_ip
| lookup rst_threat_feed_url_summary ioc_value as url
| lookup rst_threat_feed_hash_summary ioc_value as file_hash

Requirements

  • Splunk version 9.0.x, 8.2.x, 8.1.x, 8.0.x
  • Python version: python3
  • Appropriate API key for collecting data from RST Cloud (send an inquiry to trial@rstcloud.net or use this link)

Release Notes

Version 1.0.3

- splunklib for python was updated to v2.0.1
- lookup merge logic updates
- added search head replication parameter

Version 1.0.2

- splunklib for python was updated to v1.7.4
- filter macros are added to the alert examples
- minor updates

Version 1.0.1

- updated to support Splunk Cloud
- now uses Splunk client secret storage mechanism to store RST Cloud API key
- no Splunk restart requested after installation

Version 1.0.0

  • Added RST Threat Feed daily sync support

Uninstall & Cleanup steps

  • Remove $SPLUNK_HOME/etc/apps/rstcloud_threatfeed
  • To reflect the cleanup changes in UI, restart the Splunk instance

Troubleshooting

  • Authentication Failure:
    • Check the network connectivity and make sure that the RST Cloud API is reachable: api.rstcloud.net
  • Download failure:
    • Check the network connectivity and make sure that Amazon S3 is reachable: profeeds.s3.amazonaws.com