Can splunk Enterpise import Threat intelligence in...

netinstall · ‎07-28-2017

As the subject, can splunk enterprise import Threat Intelligence in STIX and XML format with less features in Splunk Enterprise as I only have splunk Enterprise but no Splunk ES? (But the Splunk ES had many features seem to be not very useful and we only want to try the threat intelligence part.

Splunk ES can do it by below method, any similar thing in Splunk Enterprise?

http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Addthreatintel

http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Uploadthreatfile

klaxdal · ‎08-01-2017

Why not try Splunk SA- Splice ? Does a great job

https://splunkbase.splunk.com/app/2637/

adonio · ‎07-29-2017

hello there,
i don t see why cant you do it in Splunk Core.
you can create a modular input or a scripted input to look for these files and either index them or upload as a lookup so you can run searches and correlation against them.
with not much effort, i was able to use that link: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Downloadthreatfeed#Add_a_URL-based_threat_source
downloaded the "ransomware_domain_blocklist" from here:
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
and uploaded as a lookup table to my splunk, see screenshot:

you can use this method for STIX and all other online lists.
the challenge is to keep them updated. and thats where a scripted input or modular input comes in handy.
hope it helps

Can splunk Enterpise import Threat intelligence in STIX and XML format (Not splunk Enterprise Security)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases