Splunk Enterprise Security

Add intelligence to file_intel

panovattack
Communicator

Is there a way to use lookups to add threat intelligence to the non-network based intelligence stores, such as file_intel? I know STIX and OpenIOC can populate these, however, I've got IOCs in CSVs and custom feeds of file names, hashes, etc. Thanks!

0 Karma
1 Solution

mcronkrite
Splunk Employee
Splunk Employee

Yes absolutely, in fact, that's the default threat list style.
The csv files have to have two fields, ip and description, url and description, or domain and description.

http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists

View solution in original post

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

Yes absolutely, in fact, that's the default threat list style.
The csv files have to have two fields, ip and description, url and description, or domain and description.

http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists

0 Karma

panovattack
Communicator

I've followed the instructions in the documentation for network indicators (IPs, URLs, and Domains) and it work great! However, I can not reproduce those results for fie-based indicators (file names, hashes, etc.).

0 Karma

panovattack
Communicator

fixed in updates of ES

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...