Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

stix Threat Intelligence Upload

tmwhitm
New Member
‎12-04-2018 10:39 AM

Splunkers,

Once a stix formatted IOC file has been successfully uploaded via Splunk Enterprise Security "Upload Threat Intelligence", I'd like to view the contents of that upload to review the IOCs but I have not been able to see that information, let alone the file listed anywhere. There is an SA-SPLICE application in Splunkbase but that has not been updated since 2015 and doesn't support the latest file formats.

  1. Where in Splunk ES can I view the contents of the uploaded IOC?
  2. How can I confirm the IOC is enabled and providing intel to Splunk ES?

Thank you,

Tom

0 Karma
Reply

jaime_ramirez
Communicator
‎11-20-2019 11:23 AM

Have you tried this?

https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Verifythreatintel

So in Security Intelligence > Threat Intelligence > Threat Artifacts, you should be able to find your Threat Source with its Intel Source ID.

Later I could elaborate more on the subject.

Hope it helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top