Integrations · Splunk
HoneyLabs scanner feed as a Splunk lookup
The CSV feed carries ip, first_seen, last_seen, events, asn and country per row: a ready-made lookup table. Refresh it on a schedule, define the lookup once, and any search can annotate its source IPs with what HoneyLabs sensors saw them do.
- 01
Save a query
Sign in (free) and save the HoneyLabs query you want the feed to track on the feeds page. Any lookup query works: a port, an ASN, a tag, or a boolean combination. The feed returns the source IPs currently matching it, so a tighter query means a tighter blocklist.
# Example saved queries and what they feed you port:22 AND NOT tag:scanner # SSH brute-forcers, known researchers removed tag:scanner # every recognized scanner IP cve:CVE-2024-4577 # IPs probing one specific CVE asn:14061 AND port:445 # SMB scans out of DigitalOcean - 02
Mint a feed token
On the same page, mint a feed URL for the saved query. The token alone authorizes the fetch: no cookies, no headers, safe to paste into an appliance. Mint one token per consumer so you can revoke a leaked URL without breaking the others.
# Your feed URL looks like https://honeylabs.net/feed/<token> # plain text, one IP per line https://honeylabs.net/feed/<token>.csv # ip,first_seen,last_seen,events,asn,country https://honeylabs.net/feed/<token>.json # same fields as JSON - 03
Refresh the lookup file
Cron on the search head (or a scripted input) writes the CSV where Splunk looks up lookup files. Five-minute refreshes are fine; the feed is edge-cached.
# /etc/cron.d/honeylabs-splunk */15 * * * * splunk curl -fsS 'https://honeylabs.net/feed/<token>.csv' \ -o $SPLUNK_HOME/etc/apps/search/lookups/honeylabs_scanners.csv # One-time: Settings > Lookups > Lookup definitions > Add new Name : honeylabs_scanners File : honeylabs_scanners.csv - 04
Use it in SPL
Join on the source IP field of whatever index you are searching. A null events field means HoneyLabs has not seen that IP in the feed's window.
index=firewall | lookup honeylabs_scanners ip AS src_ip OUTPUT events asn country last_seen | eval honeylabs=if(isnotnull(events), "known scanner", "clean") | table src_ip honeylabs events country asn last_seen # Alert idea: internal host talking TO a known scanner index=proxy | lookup honeylabs_scanners ip AS dest_ip OUTPUT events | where isnotnull(events)
Worth knowing
- Keep the saved query broad for enrichment (tag:scanner) and narrow for alerting (a CVE or port query), as two separate feeds.
- For per-IP detail beyond the feed columns, the lookup page returns full JSON: curl with Accept: application/json on /lookup/<ip>.
The feed is plain text (one IP per line), CSV, or JSON, is revocable per token, and is edge-cached for five minutes, so a tight refresh schedule never hammers anything. Create yours on the feeds page, or browse the other integrations.