Splunk Enterprise

Can splunk Enterpise import Threat intelligence in STIX and XML format (Not splunk Enterprise Security)

netinstall
Engager

As the subject, can splunk enterprise import Threat Intelligence in STIX and XML format with less features in Splunk Enterprise as I only have splunk Enterprise but no Splunk ES? (But the Splunk ES had many features seem to be not very useful and we only want to try the threat intelligence part.

Splunk ES can do it by below method, any similar thing in Splunk Enterprise?

http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Addthreatintel

http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Uploadthreatfile

Tags (1)

klaxdal
Contributor

Why not try Splunk SA- Splice ? Does a great job

https://splunkbase.splunk.com/app/2637/

0 Karma

adonio
Ultra Champion

hello there,
i don t see why cant you do it in Splunk Core.
you can create a modular input or a scripted input to look for these files and either index them or upload as a lookup so you can run searches and correlation against them.
with not much effort, i was able to use that link: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Downloadthreatfeed#Add_a_URL-based_threat_source
downloaded the "ransomware_domain_blocklist" from here:
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
and uploaded as a lookup table to my splunk, see screenshot:
alt text

you can use this method for STIX and all other online lists.
the challenge is to keep them updated. and thats where a scripted input or modular input comes in handy.
hope it helps

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...