topic How to integrate the Threat intelligence feeds from ThreatConnect App for Splunk Enterprise into the Splunk Enteprise Security app? in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-the-Threat-intelligence-feeds-from/m-p/244782#M1706 <P>Hi,</P> <P>There is an app for threat connect (<A href="https://splunkbase.splunk.com/app/1893/">https://splunkbase.splunk.com/app/1893/</A> ), but it does not integrate into Splunk Enterprise Security out of the box. Has anyone managed to integrate the Threat intelligence feeds from Threat Connect into Splunk ES?</P> <P>Since ES already does the work for matching incoming data against the Threat intelligence feeds, I would like to be able to avoid having to install 2 splunk apps and just use ES to gain most value from both ES and Threat Connect.</P> Tue, 24 Nov 2015 19:57:20 GMT anandhim 2015-11-24T19:57:20Z How to integrate the Threat intelligence feeds from ThreatConnect App for Splunk Enterprise into the Splunk Enteprise Security app? https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-the-Threat-intelligence-feeds-from/m-p/244782#M1706 <P>Hi,</P> <P>There is an app for threat connect (<A href="https://splunkbase.splunk.com/app/1893/">https://splunkbase.splunk.com/app/1893/</A> ), but it does not integrate into Splunk Enterprise Security out of the box. Has anyone managed to integrate the Threat intelligence feeds from Threat Connect into Splunk ES?</P> <P>Since ES already does the work for matching incoming data against the Threat intelligence feeds, I would like to be able to avoid having to install 2 splunk apps and just use ES to gain most value from both ES and Threat Connect.</P> Tue, 24 Nov 2015 19:57:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-the-Threat-intelligence-feeds-from/m-p/244782#M1706 anandhim 2015-11-24T19:57:20Z Re: How to integrate the Threat intelligence feeds from ThreatConnect App for Splunk Enterprise into the Splunk Enteprise Security app? https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-the-Threat-intelligence-feeds-from/m-p/244783#M1707 <P>ES is not supported when other apps are installed.<BR /> So you will want to avoid adding any non-Splunk Certified app add-ons to the ES installation.</P> <P>That being said, you can download the ThreatConnect integration and inspect the app for content that might want to add.</P> <P>In the latest versions of ES, the threat intelligence setup is a wizard that you go through. What you want to do is find what data feed source the Threat Connect app looks at and mirror that in your own configuration by Configuring a Threat list in ES. </P> <P>Check out how to do that here.<BR /> <A href="http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists">http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists</A></P> <P>TL:DR; don't install a new app e.g. 1893, instead look at the app configs to find out the threat feed source and use the above url to set it up in ES.</P> Tue, 24 Nov 2015 20:26:46 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-the-Threat-intelligence-feeds-from/m-p/244783#M1707 mcronkrite 2015-11-24T20:26:46Z