icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Hurricane Labs Threat Intelligence Feed
SHA256 checksum (hurricane-labs-threat-intelligence-feed_109.tgz) 7ab0ee4bb71b78eb87571fde51608bde13b8348e02a73d3ff2d1fa622a6541ac SHA256 checksum (hurricane-labs-threat-intelligence-feed_107.tgz) 48821ea23e1680734ea0bfbf8b0b5b20218121ef34a7b442e3b29b661c1b37e7 SHA256 checksum (hurricane-labs-threat-intelligence-feed_106.tgz) 366171b9aa42e9ac0f9d0b6fb89acd6dfffaad9afdff8dda876d673611ef73b5 SHA256 checksum (hurricane-labs-threat-intelligence-feed_105.tgz) 71d812004990f47cf81d4d69eff3d6f7389c70d2a91e1c44733542d1b020fc9f SHA256 checksum (hurricane-labs-threat-intelligence-feed_103.tgz) 772a7b6bbc25c84a2b41f38874cff8ae5960e8e65e5269d7eda8122e29fc7cea SHA256 checksum (hurricane-labs-threat-intelligence-feed_102.tgz) 742a02de6af2a8e28af30ba445adf6b20d48f8f917e5d0f33183663b5b2e5ff2 SHA256 checksum (hurricane-labs-threat-intelligence-feed_100.tgz) 181fc8a69153583f10dab2255e16531dbbffc76fcf1cf733c0e42b15c57816be
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Hurricane Labs Threat Intelligence Feed

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
Pulls threat intelligence feeds into Splunk Enterprise Security from the Hurricane Labs getThreats API.

Hurricane Labs Threat Intelligence Feed

Support

  • Splunk ^8.0

How This App Works

This app pulls down lookups from the Hurricane Labs getThreats API. Corresponding threatlist inputs then ingest
the lookup data into the appropriate threatlist.

Purchasing an API Key

Setup Process

  1. Go to 'Apps' < 'Manage Apps'

  2. Find the 'Hurricane Labs Threat Intelligence Feed' app, and then click 'Launch App'

  3. Once taken to the app, click on the 'Setup' link in the navigation

  4. Enable the threatlist inputs. By default these are set to disabled = true. You can enable these one of two ways:

  5. Directly in inputs.conf
  6. Go to Configure < Data Enrichment < Intelligence Downloads and enable the following Intelligence Downloads:
    • misp_IPDST, misp_MD5SUMs, misp_SHA1SUMs, misp_SHA256SUMs, misp_URL, misp_Domains

(Non-Cloud Only)
3. Enable the scripted input in inputs.conf.
- By default the scripted input runs every hour. If it is decided to change this interval, and your environment is
clustered, then it is not recommended to use CRON scheduling for the scripted input.
- Confirm the scripted input has run by searching index=_internal "ExecProcessor" "threatlist_handler.py". If it
successfully ran you will get results back. Ensure log_level is INFO.
- If you see no results, you can force the scripted input to run by running debug/refresh.

(Cloud Only or Non-Cloud)
3. Enable the Saved Search HLThreatIntelligence Populator to start populating your Threat Lists as
Scripted Inputs will be removed on Splunk Cloud.
- It is recommended to schedule the saved search to run hourly as the default retention on the Threat Intelligence Downloads
is set to 1 hour by default.
- Once the Saved Search has run, you can confirm it is running successfully by running the following search:
index=_internal sourcetype=scheduler savedsearch_name="HLThreatIntelligence Populator" | table _time status
- You can also manually run | hlthreatintel to make sure everything works as expected. Errors from running this
search should appear in both the messages window as well as the results output. If no results are returned then
everything should be working as expected.

Upgrading (IMPORTANT)

Upgrading From 1.0.6 or Earlier

  • Starting in version 1.0.7 the setup process has changed slightly as the setup.xml file has been removed in the default
    folder to meet Splunk Cloud approval. See the Setup Process section in this README.
  • This app no longer supports anything less than Splunk version 8 as it is required to set the app's Python version to 3 for
    meet AppInspect requirements.

Upgrading From Version 1.0.3 or Earlier

If you are upgrading from 1.0.3 or earlier version you will need to either do one of
two things as the setup page functionality has changed:
1. Re-enter the API key on the setup page.
- OR -
2. Change the stanza name in the passwords.conf file to be [credential::api_key:]. After a debug/refresh
the new API key should be seen.

The reason for the above is the app up to version 1.0.3 utilized the standard Splunk setup page which made it
impossible to update an API key while also overwriting the old API key in passwords.conf. This update fixes
this issue, but because of this change one of the above changes needs to be made.

Configure Threat Intelligence Downloads Retention

By default, the retention for the Threat Intelligence Downloads provided in this app are set to -1h. If you adjust
this, consider adjusting the schedule for the scripted input threatlist_handler.py(non-cloud) or saved search
HLThreatIntelligence Populator (cloud).

You can modify the Threat Intelligence Download settings by going to Configure < Data Enrichment < Intelligence Downloads
in Enterprise Security, and then finding the threat downloads (misp_IPDST, misp_MD5SUMs, misp_SHA1SUMs,
misp_SHA256SUMs, misp_URL, misp_Domains).

Further information regarding Threat Intelligence Download retention is provided via the Splunk Documentation here:
https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Changethreatintel

The above link contains the following information:

Remove threat intelligence from the KV Store collections in Splunk Enterprise Security based on the date that the 
threat intelligence was added to Enterprise Security.

The default maximum age is -30d for 30 days of retention in the KV Store. To remove the data more often, use a 
smaller number such as -7d for one week of retention. To keep the data indefinitely, use a blank field. However, 
if the KV Store collection is stored indefinitely, the .csv files that result from lookup-generating searches can 
grow large enough to impact search head cluster replication performance. If you manually delete the data from the 
.csv file, the maximum age timer does not reset based on the edit date, and the data is still removed from the 
KV Store after the maximum age expires.

If the threat intelligence source is not a TAXII feed, define the maximum age of the threat intelligence. This 
field is not used for TAXII feeds.

- From the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
- Select an intelligence source.
- Change the Maximum age setting using a relative time specifier.
- Enable the retention search for the collection.
- From the Splunk platform menu bar, select Settings and click Searches, reports, and alerts.
- Search for "retention" using the search filter.
- Enable the retention search for the collection that hosts the threat source. All retention searches 
are disabled by default.

Proxy Support

As of v. 1.0.4 you can set up a proxy specifically for these feeds. Just modify feed_proxy.conf

Debugging

For detailed logging you can search index=_internal source="*sa_hlthreatintelligencefeed.log" which will
tell you if anything goes wrong with either the Scripted Input or Custom Command.

If you use the above search, but see the following:
[{'type': 'ERROR', 'text': 'Could not find object id=:api_key:', 'code': None}] or a 403 forbidden, and
are upgrading from version 1.0.3 or earlier, then you need to re-enter your API key.

See the Upgrading section in this README for more information.

Help, I don't see my threatlist!

Once you've configured everything, you should first check to see that your threatlist shows up on the
"Threat Artifacts" dashboard in Enterpise Security (Security Intelligence < Threat Intelligence < Threat Artifacts).

If you do not see your threatlist on the "Threat Artifacts" dashboard then it is possible it being omitted as the top
panel specifically (Threat Overview) appends multiple threat intel lists together (file_intel, ip_intel etc.) and
limits the output of those lookups to 10,000 results each. This does not mean your threatlist has not been added.

You can confirm everything is populating as expected by running the following searches:
| inputlookup http_intel | stats count by threat_key
- http_intel will have misp_URLs

| inputlookup ip_intel | stats count by threat_key
- ip_intel will have misp_Domains, and misp_IPDST

| inputlookup file_intel | stats count by threat_key
- file_intelwill have misp_MD5SUMs, misp_SHA1SUMs, and misp_SHA256SUMs

If you still do not see results confirm that the necessary threatintel inputs are enabled in ES:
- Configure < Data Enrichment < Intelligence Downloads

Support:

  • This app is developer supported by Hurricane Labs.
  • You can send any inquiries / comments / bugs to splunk-app@hurricanelabs.com
  • Response should be relatively fast if emails are sent between 9am-5pm (Eastern)

Updates

1.0.8
- Updated API URL

1.0.7
- Empty <label></label> in default/data/ui/views/setup.xml caused Python to throw an error. This has been fixed.
- Removed default/setup.xml as Splunk Cloud no longer supports it.
- Must be installed on Splunk 8 or greater

1.0.6
- Fix of potential bug in JavaScript preventing the Setup page from loading correctly

1.0.5
- Custom command hlthreatintel and saved search HLThreatIntelligence Populator added for Splunk Cloud usage.
- Updated Setup Page

1.0.4
- Added proxy support

1.0.3
- Simplified installation process. No longer uses a KVStore for managing API endpoints

1.0.2
- Breaking change fixed, installation process updated to reflect necessary changes

Release Notes

Version 1.0.9
Sept. 14, 2020

Version 1.0.7
Aug. 14, 2020

Version 1.0.7
- Empty `<label></label>` in `default/data/ui/views/setup.xml` caused Python to throw an error. This has been fixed.
- Removed `default/setup.xml` as Splunk Cloud no longer supports it.
- Must be installed on Splunk 8 or greater

Version 1.0.6
April 2, 2020

1.0.6
- Fix of potential bug in JavaScript preventing the Setup page from loading correctly

Version 1.0.5
March 18, 2020

## Upgrading (IMPORTANT)
If you are upgrading this app from an earlier version (`1.0.3` or earlier) you will need to either do one of
two things as the setup page functionality has changed:
1. Re-enter the API key on the setup page.
- OR -
2. Change the stanza name in the `passwords.conf` file to be `[credential::api_key:]`. After a `debug/refresh`
the new API key should be seen.

The reason for the above is the app up to version 1.0.3 utilized the standard Splunk setup page which made it
impossible to update an API key while also overwriting the old API key in `passwords.conf`. This update fixes
this issue, but because of this change one of the above changes needs to be made.

v. 1.0.5
- Custom command `hlthreatintel` and saved search `HLThreatIntelligence Populator` added for Splunk Cloud usage.
- Updated Setup Page
- Better logging. You can view the app's logs by searching` index=_internal source="*sa_hlthreatintelligencefeed.log"`

Version 1.0.3
April 16, 2019

1.0.3
- Simplified installation process. No longer uses a KVStore for managing API endpoints.

Version 1.0.2
April 12, 2019

1.0.2
- Breaking change fixed, installation process updated to reflect necessary changes

IMPORTANT: If you happened to download version 1.0.1, please update the app to 1.0.2 to ensure it works properly.

Version 1.0.0
April 4, 2019

This app pulls down threatlists. It does this by looking in a KVStore called `threatlist_urls`. This KVStore
defines the URL to download the file from and the name of the file that will be generated. Instructions on how to
populate this KVStore are below.

Purchasing an API Key
- Go here https://www.hurricanelabs.com/threat-intelligence-feed to request an API key.

229
Installs
435
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.