Add-on for Symantec DeepSight
Overview
Details
This TA contains a script to download the feed from Symantec Deep Sight portal: $SPLUNK_HOME/etc/TA-Symantec-DeepSight/bin/DSDownload.py
Edit the app's setup.xml to securely store the credentials while the script is not running: $SPLUNK_HOME/etc/apps/TA-Symantec-DeepSight/default/setup.xml
Note that this credential can be managed in Enterprise Security via Configure -> Credential Manager; you can also create credentials there if you already have ES.
Edit transforms.conf to define the lookup table. $SPLUNK_HOME/etc/TA-Symantec-DeepSight/default/tranforms.conf
Edit props.conf to apply the lookup table. $SPLUNK_HOME/etc/TA-Symantec_DeepSight/default/props.conf
Create a lookup directory at $SPLUNK_HOME/etc/TA-Symantec_DeepSight/lookups
Test the lookup in Splunk Enterprise
| inputlookup deepSightIpFeed
Tell ES’s Unified Threat Management framework about the lookup with Manage -> Data Inputs -> Threat Lists.
Gathering a lookup instead of a website has already been configured, so we can copy part of this configuration. Find local threatlist and click “clone”, then modify the fields column to say:
ip:$1,category:$5,risk:$7,description:symantec_threatlist
At Manage -> Data Inputs -> Threat Lists, click disable and enable for the new Symantec DeepSight IP Reputation feed to initiate a threatlist aggregation. You can verify that it’s working properly by running this search:
index=_internal sourcetype="python_modular_input" category=threatlist name=symantec_threatlist_ip_reputation_feed
Release Notes
Version 1.0
1.0, basic integration of Symantec DeepSight Threat Feeds into Enterprise Security