Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Manually Download and Import Threat intelligence Update for Splunk Enterprise Security

JohnEGones
Communicator
‎01-09-2025 07:07 AM

Hi all,

Was wondering if there was a way to manually grab the threat intelligence updates for Splunk ES (we are on 7.3.1.)

Specifically:  Intelligence download of "mitre_attack" - threatlist download

Our Splunk environment is on-prem and air-gapped, so there is not really any way to create an external connection to the internet.

Any ideas or advice would be appreciated.

Labels (1)
0 Karma
Reply

JohnEGones
Communicator
‎01-13-2025 07:22 AM

Hi scelikok,

Thanks, that is a possible solution but not one feasible right now, partly because as you say it is expensive.

I am working on testing the manual download, a conversion to CSV and then upload to ES. I will update this post with my results.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-09-2025 11:24 AM

Hi @JohnEGones ,

Although an expensive solution, you can use sandbox and data diode for sending threat intel files into the air gapped network. 

Download the files using internet connected system, after sandbox scanning you can send the file to protected network through a strictly configured one way data diode. Lastly you can update ES threat list by serving this file with a simple web server.

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...