icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Flashpoint Splunk App
SHA256 checksum (flashpoint-splunk-app_110.tgz) cf9c3892512b8eadfcd70bf727b7f5525a44073fa18eb43f3d0074e8b6f12263 SHA256 checksum (flashpoint-splunk-app_100.tgz) 05ac18aa2994498166421732c7b54ef9520691e6e2fed8abf11922c78ed82bc2
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Flashpoint Splunk App

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Leveraging Flashpoint’s technical data and intelligence reports provides Splunk users with visibility into illicit online communities in order to correlate information related to their infrastructure, therefore, gaining insights in a timely manner and leveraging connections to prioritize their response. The Flashpoint Splunk App and Add-on enables Flashpoint data to be seamlessly integrated into customers’ Splunk instances in order to automatically alert customers when a match has been made between indicators from internal log data and Flashpoint intelligence.

Integrated Flashpoint Datasets:

Technical Indicators: Enables users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets, including those found in Flashpoint Finished Intelligence Reports, allowing for seamless integration into users’ workflows and automated tools.

Finished Intelligence: Access to analytical reports produced by our intelligence analysts. Reports cover a wide spectrum of illicit underground activity, including crimeware, fraud, emerging malware, violent extremism, and physical threats.

Flashpoint CVEs Dataset: CVEs: Access to the latest CVEs within Flashpoint collection, including access to MITRE and NVD data, as well as CVEs discussed by threat actors as observed by Flashpoint Intelligence Analysts.

Key Features:

- Captures, indexes, and correlates in real time Flashpoint technical data within Splunk’s searchable repository
- Enables users to generate reports and visualizations, including graphs, alerts, and dashboards
- Collect integrated data using Flashpoint’s REST-based API
- Includes IOCs such as hashes, URLs, domains, as well as details related to malware families, mapping to the MITRE ATT&CK framework
- Access Pre-Built Dashboards with associated Flashpoint data
- View new CVEs and see which products they affect, see which CVEs are being discussed by malicious actors and see which CVEs have active exploits

About Flashpoint
Flashpoint delivers converged intelligence and risk solutions to private and public sector organizations worldwide. As the global leader in Business Risk Intelligence (BRI), Flashpoint provides meaningful intelligence to assist organizations in combating threats and adversaries. Through sophisticated technology, advanced data collections, and human-powered analysis, Flashpoint is the only intelligence firm that can help multiple teams across an organization bolster cybersecurity, confront fraud, detect insider threats, enhance corporate and physical security, improve executive protection, address third-party risk, and support due diligence efforts.
For more information, visit https://www.flashpoint-intel.com/ or follow us on Twitter at @FlashpointIntel.

Flashpoint App for Splunk

Flashpoint App for Splunk allows you to leverage the Flashpoint platform's Indicators, Reports and CVEs(including Exploits and Mentions) within your Splunk instance.


Splunk Enterprise:

  • Version 7.1, 7.2, 7.3 and 8.0.0

Flashpoint Add-on for Splunk

  • Version 1.1.1

Python version

  • Version 2.7 and 3.7

Tested on Ubuntu 16.04, CentOS 7.5.18 and Windows Server 2016

Recommended System Configuration

  • Standard Splunk configuration of Search Head, Indexer, and Forwarder.
  • The Flashpoint Add-on for Splunk should be installed on the heavy forwarder and Search Head and the Flashpoint App for Splunk should be installed on the Search Head.


This App can be installed through UI using the following steps.

  1. Log in to Splunk Web and navigate to Apps > Manage Apps.
  2. Click the install app from file.
  3. Click Choose File and select the flashpoint App installation file.
  4. Click on Upload.

Install from the command line using the following command:
sh $SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/flashpoint-1.1.0.spl/

Upgrading to version 1.1.0

Follow the below steps to upgrade the App to 1.1.0

  1. Log in to Splunk Web and navigate to Apps > Manage Apps.
  2. Click the install app from file.
  3. Click the Choose File button and select the flashpoint App installation file and checked the Upgrade app checkbox.
  4. Click on Upload.

Once the installation is complete, restart Splunk. Now go to the matching configuration page to set up the indexes and the time-range from which the matching of the IOCs should execute. Note that if this set up is not done, then the app will start the matching of event from the last 1 hour by default.

Matching Configuration Page Guide

  • In the Matching Configuration page, configure the following fields.
  1. Index: It is a multi-select field. The user can select multiple indexes from which they want to match the IOCs. The default value is ' All ' i.e. search in all the indexes.
  2. Start Time: It is a Time-Range filter. The user can select the time from which they want to start the matching of the IOCs. The default value is the last 7 days. Note that this Start Time means from which date/time does the user wants to start matching the events, hence, this will be applicable on the first time of the configuration i.e. when the user saves the configuration for the first time, the app will start matching the events since the Start Time till the current time. Once this matching is completed, then the next subsequent matching logic will be invoked every hour automatically by the saved search and it will match the events from the last 1 hour.

Saved Searches

  • This Application contains the following Saved Searches.
Saved Searches Name Description Interval Default Status
populate_lookup Populate list_iocs lookup 24 hours Enabled
perform_matching Perform matching and populate matched_lookup based on matching 1 hour(mathces data for last 60 mins) Enabled
flashpoint_populate_domain_intel Get domains from list_iocs lookup and populate data in flashpoint_domain_intel lookup 30 mins Disabled
flashpoint_populate_email_intel Get emails from list_iocs lookup and populate data in flashpoint_email_intel lookup 30 mins Disabled
flashpoint_populate_file_intel Get file hash from list_iocs lookup and populate data in flashpoint_file_intel lookup 30 mins Disabled
flashpoint_populate_http_intel Get URLs from list_iocs lookup and populate data in flashpoint_http_intel lookup 30 mins Disabled
flashpoint_populate_ip_intel Get IPs from list_iocs lookup and populate data in flashpoint_ip_intel lookup 30 mins Disabled
flashpoint_populate_registry_intel Get registry from list_iocs lookup and populate data in flashpoint_registry_intel lookup 30 mins Disabled
flashpoint_populate_service_intel Get service hash from list_iocs lookup and populate data in flashpoint_service_intel lookup 30 mins Disabled

Custom Command

  • This Application contains the following custom commands
  1. matchiocs: This custom command is used to match flashpoint IOCs with Splunk's selected indexes.
  2. mentiondetail: This custom command is used to generate mention details table.


  • This Application contains the following lookups
Lookup Name Description
list_iocs Stores the list of unique IOCs
matched_lookup Stores the list of matched events
flashpoint_domain_intel Stores the list of domain IOCs
flashpoint_email_intel Stores the list of email IOCs
flashpoint_file_intel Stores the list of file hash IOCs
flashpoint_http_intel Stores the list of URL IOCs
flashpoint_ip_intel Stores the list of IP IOCs
flashpoint_registry_intel Stores the list of registry IOCs
flashpoint_service_intel Stores the list of service IOCs


To see data logged by Flashpoint, select the Search tab and click on Data Summary. Follow the given source types for data fetching.

Data Type Sourcetype
Indicators flashpoint_intelligence
Reports flashpoint_intelligence:reports
CVEs flashpoint_intelligence:cve
Exploits flashpoint_intelligence:exploits
Mentions flashpoint_intelligence:mentions

You can also enter search parameters in the search box to filter events.

Splunk ES - Threat Intelligence

To integrate the Flashpoint App with Enterprise Security, follow the below mentions steps.

  1. Login into Splunk Web and navigate to Apps > Flashpoint App for Splunk.
  2. Click on the Settings dropdown and select Searches, reports, and alerts option.
  3. Select the saved search for which you want to download thread intelligence data.
  4. Click on Edit dropdown from the Actions column.
  5. Select the Enable option from the list to enable the saved search.
  6. Now, Navigate to Apps > Enterprise Security in the navigation bar.
  7. In the Enterprise Security app, click on the Configure tab.
  8. Navigate to Data Enrichment > Intelligence Downloads.
  9. Click on New Button.
  10. Fill all the mandatory fields in the form.
  11. For the URL field, select the appropriate URL name from the given table.
URL Name Purpose
lookup://flashpoint_domain_intel Integrate Flashpoint Intelligence's domain data with Enterprise Security App
lookup://flashpoint_email_intel Integrate Flashpoint Intelligence's email data with Enterprise Security App
lookup://flashpoint_file_intel Integrate Flashpoint Intelligence's file intel data with Enterprise Security App
lookup://flashpoint_http_intel Integrate Flashpoint Intelligence's http intel data with Enterprise Security App
lookup://flashpoint_ip_intel Integrate Flashpoint Intelligence's ip intel data with Enterprise Security App
lookup://flashpoint_registry_intel Integrate Flashpoint Intelligence's registry intel data with Enterprise Security App
lookup://flashpoint_service_intel Integrate Flashpoint Intelligence's service intel data with Enterprise Security App

Note: To populate the data in Enterprise Security, relevant saved search must be enabled in the app.

For more info, visit on:



  • If you do not see any results in panels Try to increase the Time Range filter provided on the top left corner.


Contact Information: https://www.flashpoint-intel.com/contact-us


  • (c) Flashpoint 2020

Release Notes

Version 1.1.0
July 8, 2020

New Features:
Provides Flashpoint CVEs Dataset: CVEs: Access to the latest CVEs within Flashpoint
collection, including access to MITRE and NVD data, as well as CVEs discussed by threat actors as observed by Flashpoint Intelligence Analysts.
Splunk Cloud support
Better Splunk Enterprise Security support

Bug Fixes:
Provides more reliable ingesting of IOCs & Reports

Version 1.0.0
Nov. 19, 2019

Initial Release


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.