Splunk app for ES and Alexa Top Sites

Alexa recently decided to restrict the downloads of the top one million sites list. Splunk Enterprise Security has this as one of the initial and default intel sources. Honestly the docs for ES do not make it clear how ES uses it. But maybe you just want to be sure it works. Or maybe you do something like apply the list as a filter on DNS data.

The awesome Cisco Umbrella team has made a replacement list. It is the same format as the Alexa file, so you can quickly swap it out in ES.

  • Disable the existing Alexa threat download entry.

  • Clone it and make a new one for cisco_top_one_million_sites.

  • Make sure per the screen shot above that you leave the “type” as “alexa”. That is tied to hard code in the ES application. We are just fooling ES into using the data from a matching formatted list.

  • Save it and you are done.