Solved: How do I manually import threat intelligence downl...

thomasaporter · ‎08-08-2016

Is there anyway to manually import threat intelligence downloads for internal servers (offline from the internet)? Yes, I know that since the system is not connected to the internet, I should not have to worry about external threats. However, we do manually import event data that has come from the outside for our investigations, and I would like to correlate those against threat lists.

sjohnson_splunk · ‎08-08-2016

For OpenIOC and STIX files there is a location on the SH where you can put the files and they will automagically be loaded.

For other sources you can build a lookup file and then add it as a new source via the Web UI.

See this link for the details:

http://docs.splunk.com/Documentation/ES/4.2.0/User/Configureblocklists

View solution in original post

sjohnson_splunk · ‎08-08-2016

For OpenIOC and STIX files there is a location on the SH where you can put the files and they will automagically be loaded.

For other sources you can build a lookup file and then add it as a new source via the Web UI.

See this link for the details:

http://docs.splunk.com/Documentation/ES/4.2.0/User/Configureblocklists

thomasaporter · ‎08-08-2016

Cool....many thanks for the quick reply.

sjohnson_splunk · ‎08-08-2016

Are you using Splunk Enterprise Security? If so, what version?

thomasaporter · ‎08-08-2016

Splunk Enterprise 6.4.2 with Splunk App for Enterprise Security 4.1.1

How do I manually import threat intelligence downloads for internal deployments (no internet)?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor