Exporting LOLBAS Indicators from XSOAR to Splunk as a Threat Intelligence Feed
This blog post walks through how to export indicators (specifically from the LOLBAS project) from Cortex XSOAR into Splunk using the Generic Export Indicators Service and configure Splunk to ingest the feed as a Threat Intel Lookup.
Part 1: Setting Up XSOAR
Step 1: Enable LOLBAS Integration
First, you need to configure XSOAR to ingest indicators from LOLBAS.
- Go to Settings → Integrations → Instances.
- Search for the LOLBAS integration.
- Click Add instance and configure it:
- Set the fetch interval.
- Make sure “Fetch Indicators” is enabled.
- Provide any other required fields depending on the version of the integration.
- Click Test to ensure the integration is working correctly.
- Save and enable the instance.
This integration will regularly ingest indicators into XSOAR, usually as Tool-type indicators.
Step 2: Verify LOLBAS Indicators Are Ingested
To verify that the indicators are being pulled in:
- Go to Threat Intel → Indicators.
- Use the search bar to filter:
sourceInstances:"LOLBAS Feed_instance_1"
Replace "LOLBAS Feed_instance_1" with the actual instance name you configured.
Note: You can’t use this exact query in automation or exports, but it works well in the UI for validation.
Step 3: Enable Generic Export Indicators Service
To make the indicators available to Splunk, we’ll expose them through a download endpoint.
- Go back to Settings → Integrations → Instances.
- Search for Generic Export Indicators Service (GEIS) by Palo Alto Networks.
- Add a new instance.
This integration allows you to create a CSV or JSON export of indicators matching a query — accessible via a unique URL (e.g., for curl or use by Splunk).
Key Configuration Options:
-
Output Format: Choose
CSVfor Splunk compatibility. -
Export Fields: Customize which fields to export (e.g.,
value,type,customFields.path, etc.). - Query: Here’s the tricky part:
At the time of writing, sourceInstances is not supported by GEIS. Instead, use tags to filter LOLBAS indicators.
For example, if your LOLBAS indicators are tagged with lolbas, use this query:
tags:lolbas
💡 If your indicators aren’t already tagged, consider using a post-ingestion playbook to add consistent tags automatically.
You can test the GEIS query by using the !findIndicators command in the Playground:
!findIndicators query="tags:lolbas" size=10
Once satisfied, save the GEIS instance and note the URL it provides — you'll use this in Splunk.
Part 2: Setting Up Splunk
Now that your indicators are available as a CSV feed from XSOAR, let’s configure Splunk to pull it in as a threat intelligence source.
Splunk Enterprise Security supports polling external sources via the threatlist:// stanza in inputs.conf.
Reference:
Splunk Docs → Using Threat Intelligence in Splunk Enterprise Security
Example inputs.conf Entry for LOLBAS Feed:
[threatlist://dti-lolbas-indicator]
description = Raw indicator feed from LOLBAS
fields = name:$1,version:$2,CustomFields:$3
file_parser = line
delim_regex = ,
ignore_regex = (^#|^\s*$)
interval = 900
is_threatintel = true
max_age = -4h
max_size = 52428800
retries = 3
retry_interval = 60
skip_header_lines = 1
timeout = 30
type = dti-indicator
url = https://<xsoar-url>/instance/execute/<geis-instance-name>
workloads = []
Field Notes:
-
fields: Maps CSV columns to Splunk fields. -
url: Replace with the actual GEIS URL from your XSOAR instance. -
interval: Poll every 15 minutes. -
is_threatintel: Set totrueif you want it integrated into Splunk ES Threat Intelligence.
✅ Don’t forget to restart Splunk after modifying
inputs.conf.
Optional: Add a Workload (Saved Search)
If you want to process the incoming data, such as filtering invalid entries or transforming fields, you can specify a workload, like a Saved Search:
workloads = [
{"type": "savedsearch", "workload": "cleanup-lolbas-indicators"}
]
This lets you customize how LOLBAS data is cleaned or enriched after ingestion.
Top comments (0)