- PERSONA
- Splunk / Detection Engineer
- CATEGORY
- Integration
- ENDPOINTS
- 3 used
- UPDATED
- April 2026
USE CASE · SPLUNK / DETECTION ENGINEER
IOC enrichment for Splunk
Splunk is where most SOC teams live, but SPL stops at the data you ingest — nothing in Splunk natively tells you whether an IP in your logs is a botnet node or a benign CDN. DFIR Platform plugs that gap with a custom search command that calls a single enrichment API from inside the search pipeline.
CONTEXT
SPL has no native threat-intel reach
Splunk's detection engine is excellent at pattern-matching the events you already ingested, but enrichment of external indicators is out of scope. Analysts end up exporting IPs into a browser tab, checking VirusTotal, AbuseIPDB, Shodan by hand, and pasting the verdict back into the ticket — every single time.
- Manual copy-paste between Splunk and 5+ TI tabs for every noteworthy indicator.
- KV-store threat lists go stale without a pipeline to refresh them; fresh intel rarely lands in dashboards.
- Each individual TI integration brings its own API key, rate limit, and failure mode to manage.
The reality
“Manual copy-paste between Splunk and 5+ TI tabs for every noteworthy indicator.”
CAPABILITIES
The endpoints that solve it
DFIR Platform ships an enrichment endpoint designed to be called from inside the SPL pipeline. Package it as a Splunk custom search command and analysts get multi-source reputation data appended to events in-line — available for filtering, stats, dashboards and alerts like any other Splunk field.
Multi-source IOC enrichment
POST /v1/enrichment/lookup
Accepts an indicators[] array of IPs, domains, URLs or hashes. Returns a normalized verdict aggregated across up to 11 integrated sources (VirusTotal, AbuseIPDB, GreyNoise, Shodan, urlscan, OTX, Pulsedive, and more).
Custom search command integration
Streaming custom search command (chunked protocol, python.version = python3) reads a field per event, calls the API, and appends risk_score / verdict / sources_hit fields to each event.
SPL-native output
Enriched events keep flowing through the pipeline — usable in stats, timechart, where, and any downstream alert or dashboard with no schema changes.
WORKFLOW
One line of SPL, one API call
The custom search command reads a field from each event, calls the DFIR Platform enrichment endpoint, and writes the verdict back into the event. Here is the minimal shape — the full walkthrough (app layout, commands.conf, packaging, Splunk Cloud notes) lives in the integration article.
$ dfir-lab run splunk-ioc-enrichment
# In SPL — enrich every src_ip in a firewall search
index=firewall action=blocked
| dfir_enrich type=ip field=src_ip
| where dfir_risk_score > 70
| stats count by src_ip, dfir_verdict, dfir_sources_hit
# The command itself POSTs each indicator to:
# https://api.dfir-lab.ch/v1/enrichment/lookup
# Authorization: Bearer <api_key>SPL teaser — full commands.conf + Python implementation in the article.
- 01Step 01
Package as a Splunk app
Standard app layout with commands.conf (chunked = true, python.version = python3) registering a streaming custom search command that shells out to the enrichment API.
- 02Step 02
Invoke from any search
`| dfir_enrich type=ip field=src_ip` — runs per event, appends verdict fields, works inside scheduled searches, notable-event rules, and dashboards alike.
Full integration guide
Step-by-step walkthrough with configuration, error handling, and deployment notes.
PRICING
Pricing that tracks your workload
Splunk enriches at pipeline volume — every scheduled search that touches an IP or domain can fan out dozens of lookups. Professional (2,500 credits/mo) is the realistic starting tier; start on Starter only if you are gating enrichment to a small set of high-value searches.
Professional
2,500 credits / month
Entry price
$99/mo
- 01
Light usage — 50 enriched IOCs/day in hand-run searches
50 × 30 × 3 credits = 4,500 credits/monthProfessional (2,500) + a small top-up, or move to Enterprise if analyst volume grows. - 02
Scheduled dashboards — 20 IOCs/hour from a saved search
20 × 24 × 30 × 3 credits = 43,200 credits/monthEnterprise. Alternatively, cache enrichments with | lookup and only hit the API on new indicators. - 03
Evaluation — one dashboard, a few dozen IOCs/day
30 × 30 × 3 credits = 2,700 credits/monthProfessional ($99, 2,500 credits) with a modest overage, or Starter ($29, 500) for truly light evaluation.
GET STARTED
Three ways to evaluate
Pick the path that matches your stage. No sales call, no credit card required.
FAQ
Frequently asked
- Q / 01
- Yes, if your Splunk Cloud stack has private app installation enabled. The app is a standard custom search command with no native binaries — it ships Python only, so it passes app inspection.
- Q / 02
- Streaming. It reads a field from each event, enriches it, and appends fields. A generating variant (one-shot lookup without an upstream search) is a trivial modification — see the article for both.
- Q / 03
- Dedup before enrichment — `| dedup src_ip | dfir_enrich ...` — and/or cache results in a KV-store lookup keyed by indicator with a TTL. Most teams only need fresh enrichment per indicator once or twice a day.
- Q / 04
- Yes. The endpoint handles ip, domain, url, and hash types. Pass `type=url` or `type=hash` to the same command against the appropriate field.
Does this work on Splunk Cloud?
Streaming or generating command?
How do I keep credit usage predictable at search-time?
Can I enrich hashes and URLs the same way?
RELATED · INDEX
Other teams solving adjacent problems
Stop triaging by hand.
Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.