topic Re: Can splunk Enterpise import Threat intelligence in STIX and XML format (Not splunk Enterprise Security) in Splunk Enterprise

Can splunk Enterpise import Threat intelligence in STIX and XML format (Not splunk Enterprise Security)

netinstall — Sat, 29 Jul 2017 06:43:42 GMT

As the subject, can splunk enterprise import Threat Intelligence in STIX and XML format with less features in Splunk Enterprise as I only have splunk Enterprise but no Splunk ES? (But the Splunk ES had many features seem to be not very useful and we only want to try the threat intelligence part.

Splunk ES can do it by below method, any similar thing in Splunk Enterprise?

http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Addthreatintel

http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Uploadthreatfile

Re: Can splunk Enterpise import Threat intelligence in STIX and XML format (Not splunk Enterprise Security)

adonio — Tue, 29 Sep 2020 15:09:36 GMT

hello there,
i don t see why cant you do it in Splunk Core.
you can create a modular input or a scripted input to look for these files and either index them or upload as a lookup so you can run searches and correlation against them.
with not much effort, i was able to use that link: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Downloadthreatfeed#Add_a_URL-based_threat_source
downloaded the "ransomware_domain_blocklist" from here:
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
and uploaded as a lookup table to my splunk, see screenshot:

you can use this method for STIX and all other online lists.
the challenge is to keep them updated. and thats where a scripted input or modular input comes in handy.
hope it helps

Re: Can splunk Enterpise import Threat intelligence in STIX and XML format (Not splunk Enterprise Security)

klaxdal — Tue, 01 Aug 2017 16:02:54 GMT

Why not try Splunk SA- Splice ? Does a great job

https://splunkbase.splunk.com/app/2637/