Add support for `Splunk` and instructions guide

[summercms]

Enhancement idea

• [ ] Add support for Splunk and instructions guide.

Description

Splunk Malware Filter is a community-maintained app that imports curated threat intelligence feeds - including Adblock-style blocklists - into Splunk as lookup tables.

These blocklists include:

• Known malware domains
• Tracking servers
• Ad networks
• Botnet C2 infrastructure
• Custom Adblock-compatible filters

Once imported, the data can be used within Splunk to:

• Enrich logs with threat intelligence (e.g. DNS, proxy, firewall logs)
• Trigger alerts on malicious domains/IPs
• Create dashboards for threat visibility
• Filter or score events based on risk

Features

• Supports multiple open-source threat feeds and blocklists
• Converts Adblock filter lists into Splunk-compatible lookups
• Auto-updates blocklists on a schedule
• Works with both Splunk Enterprise and Splunk Cloud
• Lightweight, scriptable, and compatible with ES (Enterprise Security)

Example Use Cases

• Tagging proxy traffic with "malware" if a request URL matches a known domain in the blocklist
• Enriching firewall logs with threat intelligence using a simple lookup command
• Alerting when users access phishing or tracker domains

Notes

n/a

Links

https://en.wikipedia.org/wiki/Splunk

https://www.splunk.com/

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions

https://splunkbase.splunk.com/app/6970

https://gitlab.com/malware-filter/splunk-malware-filter

[summercms]

Notes

• Removed both http.method; and content:"GET" to catch all HTTP requests, regardless of method.
• sid needs to be incremental.
• rev needs to be updated every change.

IP's:

sid:200000001

Domains:

sid:100000001

This separates them to make it easier for future updates!

Alert Messages

Crypto Firewall Detected a Malicious IP Address
Crypto Firewall Detected a Malicious Website