Is there anyway to manually import threat intelligence downloads for internal servers (offline from the internet)? Yes, I know that since the system is not connected to the internet, I should not have to worry about external threats. However, we do manually import event data that has come from the outside for our investigations, and I would like to correlate those against threat lists.
For OpenIOC and STIX files there is a location on the SH where you can put the files and they will automagically be loaded.
For other sources you can build a lookup file and then add it as a new source via the Web UI.
See this link for the details:
http://docs.splunk.com/Documentation/ES/4.2.0/User/Configureblocklists
For OpenIOC and STIX files there is a location on the SH where you can put the files and they will automagically be loaded.
For other sources you can build a lookup file and then add it as a new source via the Web UI.
See this link for the details:
http://docs.splunk.com/Documentation/ES/4.2.0/User/Configureblocklists
Cool....many thanks for the quick reply.
Are you using Splunk Enterprise Security? If so, what version?
Splunk Enterprise 6.4.2 with Splunk App for Enterprise Security 4.1.1