Manually Download and Import Threat intelligence U...

JohnEGones · ‎01-09-2025

Hi all,

Was wondering if there was a way to manually grab the threat intelligence updates for Splunk ES (we are on 7.3.1.)

Specifically: Intelligence download of "mitre_attack" - threatlist download

Our Splunk environment is on-prem and air-gapped, so there is not really any way to create an external connection to the internet.

Any ideas or advice would be appreciated.

JohnEGones · ‎01-13-2025

Hi scelikok,

Thanks, that is a possible solution but not one feasible right now, partly because as you say it is expensive.

I am working on testing the manual download, a conversion to CSV and then upload to ES. I will update this post with my results.

scelikok · ‎01-09-2025

Hi @JohnEGones ,

Although an expensive solution, you can use sandbox and data diode for sending threat intel files into the air gapped network.

Download the files using internet connected system, after sandbox scanning you can send the file to protected network through a strictly configured one way data diode. Lastly you can update ES threat list by serving this file with a simple web server.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Manually Download and Import Threat intelligence Update for Splunk Enterprise Security

Threat Intelligence Management

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation