Flashpoint App for Splunk allows you to leverage the Flashpoint platform's Indicators, Reports and CVEs(including Exploits and Mentions) within your Splunk instance.
Flashpoint Add-on for Splunk
Tested on Ubuntu 16.04, CentOS 7.5.18 and Windows Server 2016
This App can be installed through UI using the following steps.
install app from file.
Choose Fileand select the flashpoint App installation file.
Install from the command line using the following command:
sh $SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/flashpoint-1.1.0.spl/
Follow the below steps to upgrade the App to 1.1.0
install app from file.
Choose Filebutton and select the flashpoint App installation file and checked the
Once the installation is complete, restart Splunk. Now go to the matching configuration page to set up the indexes and the time-range from which the matching of the IOCs should execute. Note that if this set up is not done, then the app will start the matching of event from the last 1 hour by default.
|Saved Searches Name||Description||Interval||Default Status|
||Populate list_iocs lookup||24 hours||Enabled|
||Perform matching and populate matched_lookup based on matching||1 hour(mathces data for last 60 mins)||Enabled|
||Get domains from list_iocs lookup and populate data in flashpoint_domain_intel lookup||30 mins||Disabled|
||Get emails from list_iocs lookup and populate data in flashpoint_email_intel lookup||30 mins||Disabled|
||Get file hash from list_iocs lookup and populate data in flashpoint_file_intel lookup||30 mins||Disabled|
||Get URLs from list_iocs lookup and populate data in flashpoint_http_intel lookup||30 mins||Disabled|
||Get IPs from list_iocs lookup and populate data in flashpoint_ip_intel lookup||30 mins||Disabled|
||Get registry from list_iocs lookup and populate data in flashpoint_registry_intel lookup||30 mins||Disabled|
||Get service hash from list_iocs lookup and populate data in flashpoint_service_intel lookup||30 mins||Disabled|
matchiocs: This custom command is used to match flashpoint IOCs with Splunk's selected indexes.
mentiondetail: This custom command is used to generate mention details table.
||Stores the list of unique IOCs|
||Stores the list of matched events|
||Stores the list of domain IOCs|
||Stores the list of email IOCs|
||Stores the list of file hash IOCs|
||Stores the list of URL IOCs|
||Stores the list of IP IOCs|
||Stores the list of registry IOCs|
||Stores the list of service IOCs|
To see data logged by
Flashpoint, select the
Search tab and click on
Data Summary. Follow the given source types for data fetching.
You can also enter search parameters in the search box to filter events.
To integrate the Flashpoint App with Enterprise Security, follow the below mentions steps.
Settingsdropdown and select
Searches, reports, and alertsoption.
Editdropdown from the
Enableoption from the list to enable the saved search.
|lookup://flashpoint_domain_intel||Integrate Flashpoint Intelligence's domain data with Enterprise Security App|
|lookup://flashpoint_email_intel||Integrate Flashpoint Intelligence's email data with Enterprise Security App|
|lookup://flashpoint_file_intel||Integrate Flashpoint Intelligence's file intel data with Enterprise Security App|
|lookup://flashpoint_http_intel||Integrate Flashpoint Intelligence's http intel data with Enterprise Security App|
|lookup://flashpoint_ip_intel||Integrate Flashpoint Intelligence's ip intel data with Enterprise Security App|
|lookup://flashpoint_registry_intel||Integrate Flashpoint Intelligence's registry intel data with Enterprise Security App|
|lookup://flashpoint_service_intel||Integrate Flashpoint Intelligence's service intel data with Enterprise Security App|
Note: To populate the data in Enterprise Security, relevant saved search must be enabled in the app.
For more info, visit on:
Contact Information: https://www.flashpoint-intel.com/contact-us
Provides Flashpoint CVEs Dataset: CVEs: Access to the latest CVEs within Flashpoint
collection, including access to MITRE and NVD data, as well as CVEs discussed by threat actors as observed by Flashpoint Intelligence Analysts.
Splunk Cloud support
Better Splunk Enterprise Security support
Provides more reliable ingesting of IOCs & Reports
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.