Integrations · Splunk

HoneyLabs scanner feed as a Splunk lookup

The CSV feed carries ip, first_seen, last_seen, events, asn and country per row: a ready-made lookup table. Refresh it on a schedule, define the lookup once, and any search can annotate its source IPs with what HoneyLabs sensors saw them do.

  1. 01

    Save a query

    Sign in (free) and save the HoneyLabs query you want the feed to track on the feeds page. Any lookup query works: a port, an ASN, a tag, or a boolean combination. The feed returns the source IPs currently matching it, so a tighter query means a tighter blocklist.

    # Example saved queries and what they feed you
    port:22 AND NOT tag:scanner     # SSH brute-forcers, known researchers removed
    tag:scanner                     # every recognized scanner IP
    cve:CVE-2024-4577               # IPs probing one specific CVE
    asn:14061 AND port:445          # SMB scans out of DigitalOcean
  2. 02

    Mint a feed token

    On the same page, mint a feed URL for the saved query. The token alone authorizes the fetch: no cookies, no headers, safe to paste into an appliance. Mint one token per consumer so you can revoke a leaked URL without breaking the others.

    # Your feed URL looks like
    https://honeylabs.net/feed/<token>        # plain text, one IP per line
    https://honeylabs.net/feed/<token>.csv    # ip,first_seen,last_seen,events,asn,country
    https://honeylabs.net/feed/<token>.json   # same fields as JSON
  3. 03

    Refresh the lookup file

    Cron on the search head (or a scripted input) writes the CSV where Splunk looks up lookup files. Five-minute refreshes are fine; the feed is edge-cached.

    # /etc/cron.d/honeylabs-splunk
    */15 * * * * splunk curl -fsS 'https://honeylabs.net/feed/<token>.csv' \
      -o $SPLUNK_HOME/etc/apps/search/lookups/honeylabs_scanners.csv
    
    # One-time: Settings > Lookups > Lookup definitions > Add new
    Name : honeylabs_scanners
    File : honeylabs_scanners.csv
  4. 04

    Use it in SPL

    Join on the source IP field of whatever index you are searching. A null events field means HoneyLabs has not seen that IP in the feed's window.

    index=firewall
    | lookup honeylabs_scanners ip AS src_ip OUTPUT events asn country last_seen
    | eval honeylabs=if(isnotnull(events), "known scanner", "clean")
    | table src_ip honeylabs events country asn last_seen
    
    # Alert idea: internal host talking TO a known scanner
    index=proxy
    | lookup honeylabs_scanners ip AS dest_ip OUTPUT events
    | where isnotnull(events)

Worth knowing

  • Keep the saved query broad for enrichment (tag:scanner) and narrow for alerting (a CVE or port query), as two separate feeds.
  • For per-IP detail beyond the feed columns, the lookup page returns full JSON: curl with Accept: application/json on /lookup/<ip>.

The feed is plain text (one IP per line), CSV, or JSON, is revocable per token, and is edge-cached for five minutes, so a tight refresh schedule never hammers anything. Create yours on the feeds page, or browse the other integrations.