Splunk Search
Highlighted

How do I manually import threat intelligence downloads for internal deployments (no internet)?

Explorer

Is there anyway to manually import threat intelligence downloads for internal servers (offline from the internet)? Yes, I know that since the system is not connected to the internet, I should not have to worry about external threats. However, we do manually import event data that has come from the outside for our investigations, and I would like to correlate those against threat lists.

0 Karma
Highlighted

Re: How do I manually import threat intelligence downloads for internal deployments (no internet)?

Contributor

Are you using Splunk Enterprise Security? If so, what version?

0 Karma
Highlighted

Re: How do I manually import threat intelligence downloads for internal deployments (no internet)?

Explorer

Splunk Enterprise 6.4.2 with Splunk App for Enterprise Security 4.1.1

0 Karma
Highlighted

Re: How do I manually import threat intelligence downloads for internal deployments (no internet)?

Contributor

For OpenIOC and STIX files there is a location on the SH where you can put the files and they will automagically be loaded.

For other sources you can build a lookup file and then add it as a new source via the Web UI.

See this link for the details:

http://docs.splunk.com/Documentation/ES/4.2.0/User/Configureblocklists

View solution in original post

0 Karma
Highlighted

Re: How do I manually import threat intelligence downloads for internal deployments (no internet)?

Explorer

Cool....many thanks for the quick reply.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.