icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Flashpoint Splunk App
SHA256 checksum (flashpoint-splunk-app_100.tgz) 05ac18aa2994498166421732c7b54ef9520691e6e2fed8abf11922c78ed82bc2
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Flashpoint Splunk App

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Leveraging Flashpoint’s technical data and intelligence reports provides Splunk users with visibility into illicit online communities in order to correlate information related to their infrastructure, therefore, gaining insights in a timely manner and leveraging connections to prioritize their response. The Flashpoint Splunk App and Add-on enables Flashpoint data to be seamlessly integrated into customers’ Splunk instances in order to automatically alert customers when a match has been made between indicators from internal log data and Flashpoint intelligence.

Integrated Flashpoint Datasets:

Technical Indicators: Enables users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets, including those found in Flashpoint Finished Intelligence Reports, allowing for seamless integration into users’ workflows and automated tools.

Finished Intelligence: Access to analytical reports produced by our intelligence analysts. Reports cover a wide spectrum of illicit underground activity, including crimeware, fraud, emerging malware, violent extremism, and physical threats.

Key Features:

- Captures, indexes, and correlates in real time Flashpoint technical data within Splunk’s searchable repository
- Enables users to generate reports and visualizations, including graphs, alerts, and dashboards
- Collect integrated data using Flashpoint’s REST-based API
- Includes IOCs such as hashes, URLs, domains, as well as details related to malware families, mapping to the MITRE ATT&CK framework
- Access Pre-Built Dashboards with associated Flashpoint data

About Flashpoint
Flashpoint delivers converged intelligence and risk solutions to private and public sector organizations worldwide. As the global leader in Business Risk Intelligence (BRI), Flashpoint provides meaningful intelligence to assist organizations in combating threats and adversaries. Through sophisticated technology, advanced data collections, and human-powered analysis, Flashpoint is the only intelligence firm that can help multiple teams across an organization bolster cybersecurity, confront fraud, detect insider threats, enhance corporate and physical security, improve executive protection, address third-party risk, and support due diligence efforts.
For more information, visit https://www.flashpoint-intel.com/ or follow us on Twitter at @FlashpointIntel.

Flashpoint App for Splunk

Flashpoint App for Splunk allows you to leverage the Flashpoint platform's Indicators and reports within your Splunk instance.


Splunk Enterprise:

  • Version 7.1, 7.2 and 7.3

Flashpoint Add-on for Splunk

  • Version 1.1.0

Tested on Ubuntu 16.04, CentOS 7.5.18 and Windows Server 2016

Recommended System Configuration

  • Standard Splunk configuration of Search Head, Indexer, and Forwarder.
  • The Flashpoint Add-on for Splunk should be installed on the heavy forwarder and Search Head and the Flashpoint App for Splunk should be installed on the Search Head.


This App can be installed through UI using the following steps.

  1. Log in to Splunk Web and navigate to Apps > Manage Apps.
  2. Click the install app from file.
  3. Click Choose File and select the flashpoint App installation file.
  4. Click on Upload.

Install from the command line using the following command:
sh $SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/flashpoint-1.0.0.spl/

Once the installation is complete, restart Splunk. Now go to the matching configuration page to set up the indexes and the time-range from which the matching of the IOCs should execute. Note that if this set up is not done, then the app will start the matching of event from the last 1 hour by default.

Matching Configuration Page Guide

  • In the Matching Configuration page, configure the following fields.
  • Index: It is a multi-select field. The user can select multiple indexes from which they want to match the IOCs. The default value is ' All ' i.e. search in all the indexes.
  • Start Time: It is a Time-Range filter. The user can select the time from which they want to start the matching of the IOCs. The default value is the last 7 days. Note that this Start Time means from which date/time does the user wants to start matching the events, hence, this will be applicable on the first time of the configuration i.e. when the user saves the configuration for the first time, the app will start matching the events since the Start Time till the current time. Once this matching is completed, then the next subsequent matching logic will be invoked every hour automatically by the saved search and it will match the events from the last 1 hour.

Saved Searches

  • This Application contains following Saved Searches.
  • populate_lookup: This Saved Search will populate list_iocs lookup. This saved search interval is every 24 hours.
  • perform_matching: This saved search will perform matching and populate matched_lookup based on matching. Interval for this saved search is every hour and it will match data for the last 60 minutes.

Custom Command

  • This Application contains one custom command matchiocs:
  • matchiocs: This custom command is used to match flashpoint IOCs with Splunk's selected indexes.


  • This Application contains following lookups
  1. list_iocs: This lookup is used to store a list of unique IOCs.
  2. matched_lookup: This lookup is used to store a list of matched events.


To see data logged by Flashpoint, select the Search tab. Click on Data Summary and select flashpoint_intelligence:reports sourcetype for reports and flashpoint_intelligence sourcetype for indicators.
You can also enter search parameters in the search box to filter events.


  • (c) Flashpoint 2019

Release Notes

Version 1.0.0
Nov. 19, 2019

Initial Release


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.