Use generic intelligence in search with inputintelligence

After you add generic intelligence to Splunk Enterprise Security, you can use the inputintelligence command to make use of the intelligence. See Add generic intelligence to Splunk Enterprise Security.

Note: The inputintelligence command cannot be used with threat intelligence sources.

Description

Use the inputintelligence command to add intelligence from the threatlist directory to your search results. When downloaded, generic intelligence is parsed and stored in the $SPLUNK_DB/modinputs/threatlist directory.

Note: Run the inputintelligence command on the search head where the input is configured within a search head cluster environment. Searches may fail if you run the inputintelligence command on search peers in a search head cluster.

Syntax

| inputintelligence <threatlist_stanza_name> [fields=<string>] [delim_regex=<string>] [extract_regex=<string>] [ignore_regex=<string>] [skip_header_lines=<int>] [include_raw=<bool>] [append=<bool>] [no_parse=<bool>]

Required arguments

threatlist_stanza_name

Syntax: <string>

Description: The stanza of the intelligence download. Matches the Name field on the Intelligence Downloads page. You cannot have mutiple stanzas in in one search. Instead, you can combine multiple inputintelligence commands together and append the results with the append=1 argument. See Download an intelligence feed from the Internet in Splunk Enterprise Security.

Optional arguments

fields

Syntax: <string>

Description: Overrides the default fields setting for the intelligence download defined in the Intelligence Download page. Required if your document is line-delimited. Comma-separated list of fields to be extracted from the intelligence list. Can also be used to rename or combine fields. Description is a required field. Additional acceptable fields are the fields in the corresponding KV Store collection for the threat intelligence, visible in the local lookup files or the DA-ESS-ThreatIntelligence/collections.conf configuration file. No default value. If there is no value specified, the fields argument is parsed from the header of the CSV file. The list of fields can have any name and are not required to map to KV Store collections in the DA-ESS-ThreatIntelligence/collections.conf configuration file.

delim_regex

Syntax: <string>

Description: Overrides the default delimiting regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression string used to split, or delimit, lines in an intelligence source. For complex delimiters, use an extracting regular expression.

extract_regex

Syntax: <string>

Description: Overrides the default extracting regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression used to extract fields from individual lines of an intelligence source document. Use to extract values in the intelligence source.

ignore_regex

Syntax: <string>

Description: Overrides the default ignore regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression used to ignore lines in an intelligence source. Defaults to ignoring blank lines and comments that begin with #.

skip_header_lines

Syntax: <int>

Description: Overrides the default skip header lines setting for the intelligence download defined in the Intelligence Download page. The number of header lines to skip when processing the intelligence source.

Default: 0

include_raw

Syntax: <bool>

Description: If 1, t, or true, adds the original line content to an additional column called raw.

Default: 0

append

Syntax: <bool>

Description: If 1, t, or true, appends the results of the inputintelligence command to an existing set of search results instead of replacing it.

Default: 0

no_parse

Syntax: <bool>

Description: If 1, t, or true all other options are ignored and the raw contents of the intelligence file is returned one line per row.

Default: 0