Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

stix Threat Intelligence Upload

tmwhitm
New Member
‎12-04-2018 10:39 AM

Splunkers,

Once a stix formatted IOC file has been successfully uploaded via Splunk Enterprise Security "Upload Threat Intelligence", I'd like to view the contents of that upload to review the IOCs but I have not been able to see that information, let alone the file listed anywhere. There is an SA-SPLICE application in Splunkbase but that has not been updated since 2015 and doesn't support the latest file formats.

  1. Where in Splunk ES can I view the contents of the uploaded IOC?
  2. How can I confirm the IOC is enabled and providing intel to Splunk ES?

Thank you,

Tom

0 Karma
Reply

jaime_ramirez
Communicator
‎11-20-2019 11:23 AM

Have you tried this?

https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Verifythreatintel

So in Security Intelligence > Threat Intelligence > Threat Artifacts, you should be able to find your Threat Source with its Intel Source ID.

Later I could elaborate more on the subject.

Hope it helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...