All,
Anyone have a walk through on how I might install various threatlists to Splunk ES in a search head configuration? I can assume I just download the files to the search head deployer, just not sure where in the path I place them.
thanks
Hello @daniel333,
You're correct that you'd want to download the files (upload them, if adding a STIX/IOC file manually) to the deployer and then deploy them out. Treat it like a lookup file.
The link that @acharlieh posted has the correct file path in it for that version and the previous one.
http://docs.splunk.com/Documentation/ES/4.6.0/User/Configureblocklists#Add_OpenIOC_or_STIX_files_usi...
If you go to the version of the documentation it will tell you if there is a specific path required. I believe in 4.5.0 is when we started requiring a specific file path.
In the next version of ES (and the current cloud-only version) this is easier because you can upload the file and the software takes care of the rest, without worrying about a file system location.
Let me know how that goes! I'm going to add a SHC-specific note to the documentation to make this clearer, thanks for your question!!
I haven't done much with ES, and even less with ES+SHC, but I'm curious if this doc is some of what you're looking for (there is a Cloud only marker on this version though... I wonder how much has changed):
http://docs.splunk.com/Documentation/ES/4.6.0/User/Configureblocklists#Add_OpenIOC_or_STIX_files_usi...