Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I manually install Splunk ES threat lists ?

daniel333
Builder
‎04-12-2017 06:30 PM

All,

Anyone have a walk through on how I might install various threatlists to Splunk ES in a search head configuration? I can assume I just download the files to the search head deployer, just not sure where in the path I place them.

thanks

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎04-13-2017 10:54 AM

Hello @daniel333,

You're correct that you'd want to download the files (upload them, if adding a STIX/IOC file manually) to the deployer and then deploy them out. Treat it like a lookup file.

The link that @acharlieh posted has the correct file path in it for that version and the previous one.
http://docs.splunk.com/Documentation/ES/4.6.0/User/Configureblocklists#Add_OpenIOC_or_STIX_files_usi...
If you go to the version of the documentation it will tell you if there is a specific path required. I believe in 4.5.0 is when we started requiring a specific file path.

In the next version of ES (and the current cloud-only version) this is easier because you can upload the file and the software takes care of the rest, without worrying about a file system location.

Let me know how that goes! I'm going to add a SHC-specific note to the documentation to make this clearer, thanks for your question!!

Reply

acharlieh
Influencer
‎04-13-2017 09:17 AM

I haven't done much with ES, and even less with ES+SHC, but I'm curious if this doc is some of what you're looking for (there is a Cloud only marker on this version though... I wonder how much has changed):
http://docs.splunk.com/Documentation/ES/4.6.0/User/Configureblocklists#Add_OpenIOC_or_STIX_files_usi...

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...