Solved: How do I manually import threat intelligence downl...

thomasaporter · ‎08-08-2016

Is there anyway to manually import threat intelligence downloads for internal servers (offline from the internet)? Yes, I know that since the system is not connected to the internet, I should not have to worry about external threats. However, we do manually import event data that has come from the outside for our investigations, and I would like to correlate those against threat lists.

sjohnson_splunk · ‎08-08-2016

For OpenIOC and STIX files there is a location on the SH where you can put the files and they will automagically be loaded.

For other sources you can build a lookup file and then add it as a new source via the Web UI.

See this link for the details:

http://docs.splunk.com/Documentation/ES/4.2.0/User/Configureblocklists

View solution in original post

sjohnson_splunk · ‎08-08-2016

For OpenIOC and STIX files there is a location on the SH where you can put the files and they will automagically be loaded.

For other sources you can build a lookup file and then add it as a new source via the Web UI.

See this link for the details:

http://docs.splunk.com/Documentation/ES/4.2.0/User/Configureblocklists

thomasaporter · ‎08-08-2016

Cool....many thanks for the quick reply.

sjohnson_splunk · ‎08-08-2016

Are you using Splunk Enterprise Security? If so, what version?

thomasaporter · ‎08-08-2016

Splunk Enterprise 6.4.2 with Splunk App for Enterprise Security 4.1.1

How do I manually import threat intelligence downloads for internal deployments (no internet)?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies