Configure proxy server settings in Splunk Enterprise Security

Note: This documentation topic on threat intelligence applies only to users using native threat intelligence in Splunk Enterprise Security, not Threat Intelligence Management (Cloud).

Configure a proxy in Splunk Enterprise Security to create threat lists and extract and customize intelligence data.

If your Splunk Enterprise Security deployment receives data from threat intelligence platforms through a proxy, you must apply the same proxy server settings to all the [threatlist] stanzas in the inputs.conf configuration file. Use Splunk Enterprise Security to configure the proxy server settings for all [threatlist] stanzas.

Note: The proxy settings only impact data source integrations present within the Splunk Enterprise Security app. Data source integrations from the Threat Intelligence Management (Cloud) system provide data directly to the data source platforms.

Follow these steps to configure a proxy:

  1. In Splunk Enterprise Security, select Configure and then Threat intelligence.
  2. Select Proxy and parser settings.
  3. Use the following table to configure the proxy server settings:
    Setting Description Example
    Proxy server Proxy server IP address The proxy server cannot be a URL. For example, 10.10.10.10 or server.example.com.
    Proxy port Port to access the proxy server 8956
    Proxy user Proxy user credential for the proxy server. Only basic and digest authentication methods are supported.
    The user must correspond to the name of a credential stored in Credential management. This is a required field.
    Proxy user realm Splunk Enterprise Security secure storage realm of the corresponding proxy user. Used to build the ID of the Splunk Enterprise secure storage array. (Optional) This value is different from remote site credentials.

Configure parse modifier settings

When threat intelligence data is ingested, fields are often embedded within each other. By configuring threat list settings you can separate the fields. Extraction of field and their corresponding values is based on when threat documents are processed and written to their respective threat collections. Configure parse modifier settings to extract fields from the threat intelligence data.

Steps

  1. In Splunk Enterprise Security, select Configure and then Threat intelligence.
  2. Select Proxy and parser settings.
  3. You have the option to turn on any of the following parse modifier settings:
    • Certificate attribute breakout
    • IDNA encode domains
    • Parse domain from URL
    • Normalize IP
  4. Turn on the parse modifier setting based on your requirements. Turn on Certificate attribute breakout to parse fields in the certificate_issuer and the certificate_subject fields.
    For example: A raw certificate issuer field might be a single string as follows:
    C = US, ST = CA, L = San Francisco, O = The Company Name, OU = The Organizational Unit Name, CN = The common name, emailAddress = theemailaddress@email.gov, STREET=123 main street
    Multiple other potential fields may exist within this single string. When you parse fields in the certificate_issuer fields by activating the Certificate attribute breakout parse modifier, all extra fields are parsed from the raw certificate_issuer field and stored into their own fields in the collection as follows:
    • 'certificate_issuer_common_name': 'The common name',
    • 'certificate_issuer_email': 'theemailaddress@email.gov',
    • 'certificate_issuer_locality': 'San Francisco',
    • 'certificate_issuer_organization': 'The Company Name',
    • 'certificate_issuer_state': 'CA',
    • 'certificate_issuer_street': '123 main street',
    • 'certificate_issuer_unit': 'The Organizational Unit Name'
    When you parse fields in the the certificate_subject field fields by activating the Certificate attribute breakout parse modifier, parsing occurs as follows:
    • 'certificate_subject_common_name': 'The common name',
    • 'certificate_subject_email': 'theemailaddress@email.gov',
    • 'certificate_subject_locality': 'San Francisco',
    • 'certificate_subject_organization': 'The Company Name',
    • 'certificate_subject_state': 'CA',
    • 'certificate_subject_street': '123 main street',
    • 'certificate_subject_unit': 'The Organizational Unit Name'
    If you want to transform the names written in non-ASCII characters to their ASCII-based representation, turn on IDNA encode domains. Turn on IDNA encode domains to include both the IDNA and the international encoding for applicable domains in the domain field.
    If you want to extract a hostname from a URL, turn on Parse domain from URL. Turn on the Parse domain from URL to parse the domain field from the url field.