Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Core threat intelligence feed data

elend
Path Finder
yesterday

Hi, I was wondering if it is possible to incorporate threat intelligence data without using enterprise security?
I've done it using Splunk ES, and it was pretty easy. But what if I don't have ES and only Splunk Core in my environment?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
yesterday

Hi @elend 

Yes, you can incorporate threat intelligence data into Splunk Core without using Enterprise Security (ES), while ES provides built-in functionalities (like the Threat Intelligence Framework and notable event correlation), in Splunk Core you willneed to manually onboard and implement threat intel feeds. You could do this a number of ways:

  1. Ingest: Import your threat intelligence feeds (such as CSV, STIX, TAXII, or public IoCs) into Splunk as a new index (e.g., threatintel) from a forwarder that has access to the threat intel feeds.

  2. Lookups: Load feed data as lookups either manually or using an API mechanism.

  3. Scheduled Inputs: Use an existing (Splunkbase) or custom modular inputs to pull threat data from external sources and index it in Splunk.

Then you will need to utilize the onboarded Threat intel data,  Use SPL to search and correlate your indexed logs with threat indicators. e.g. using lookup commands to match source IPs, domains, or hashes in your events against those in your threat intel lookup. You can then have alerts based on matches between your event data and the imported threat indicators.

This obviously requires more manual effort than the out of the box ES implementation but can produce a fully functional  threat intel processing in Splunk. You won’t have the automated enrichment, risk scoring, or notable events provided by ES, but you can replicate many basic use cases with SPL and alerts if you're able/willing to put it together,.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

elend
Path Finder
yesterday

thankyou for the response. do you have some techinal reference about that points? i want to try it

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
yesterday

Since there is no ready-made full framework for this, there is no reference since you will have to zip-tie and duct-tape it yourself.

There are some addons and apps which can ingest specific kinds of data (typically they are made by TI service vendors; and their quality... vary greatly, to be diplomatic about it) but for other ones you will have to start from scratch and implement everything on your own.

After all, it's not that you're paying for ES for nothing 😉

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
yesterday

Hi @elend 

Ultimately this really depends on what sources you are using for your threat intel, e.g. do they provide an API? Is it Internal? Does a Splunkbase app already exist for the vendor's feed?

This will drive the best approach and then lead to the technical implementation, but will always require a lot more manual work than using Enterprise Security, which is more of a turnkey solution for what you are trying to produce.

Because of the complexity involved here and the amount of unknowns, this would typically be something that you would need to consult with Splunk or a Splunk Partner to produce, unless you already have the technical abilities in-house. Whilst we could provide some example SPL, this would just be boilerplate and not really transferable to your environment without knowing a lot more information about your data, volumes, sources, TTP feeds etc

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
yesterday

Hi @elend 

Yes, you can incorporate threat intelligence data into Splunk Core without using Enterprise Security (ES), while ES provides built-in functionalities (like the Threat Intelligence Framework and notable event correlation), in Splunk Core you willneed to manually onboard and implement threat intel feeds. You could do this a number of ways:

  1. Ingest: Import your threat intelligence feeds (such as CSV, STIX, TAXII, or public IoCs) into Splunk as a new index (e.g., threatintel) from a forwarder that has access to the threat intel feeds.

  2. Lookups: Load feed data as lookups either manually or using an API mechanism.

  3. Scheduled Inputs: Use an existing (Splunkbase) or custom modular inputs to pull threat data from external sources and index it in Splunk.

Then you will need to utilize the onboarded Threat intel data,  Use SPL to search and correlate your indexed logs with threat indicators. e.g. using lookup commands to match source IPs, domains, or hashes in your events against those in your threat intel lookup. You can then have alerts based on matches between your event data and the imported threat indicators.

This obviously requires more manual effort than the out of the box ES implementation but can produce a fully functional  threat intel processing in Splunk. You won’t have the automated enrichment, risk scoring, or notable events provided by ES, but you can replicate many basic use cases with SPL and alerts if you're able/willing to put it together,.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...