Splunk Search
Highlighted

How do I manually import threat intelligence downloads for internal deployments (no internet)?

Explorer

Is there anyway to manually import threat intelligence downloads for internal servers (offline from the internet)? Yes, I know that since the system is not connected to the internet, I should not have to worry about external threats. However, we do manually import event data that has come from the outside for our investigations, and I would like to correlate those against threat lists.

0 Karma
Highlighted

Re: How do I manually import threat intelligence downloads for internal deployments (no internet)?

Contributor

Are you using Splunk Enterprise Security? If so, what version?

0 Karma
Highlighted

Re: How do I manually import threat intelligence downloads for internal deployments (no internet)?

Explorer

Splunk Enterprise 6.4.2 with Splunk App for Enterprise Security 4.1.1

0 Karma
Highlighted

Re: How do I manually import threat intelligence downloads for internal deployments (no internet)?

Contributor

For OpenIOC and STIX files there is a location on the SH where you can put the files and they will automagically be loaded.

For other sources you can build a lookup file and then add it as a new source via the Web UI.

See this link for the details:

http://docs.splunk.com/Documentation/ES/4.2.0/User/Configureblocklists

View solution in original post

0 Karma
Highlighted

Re: How do I manually import threat intelligence downloads for internal deployments (no internet)?

Explorer

Cool....many thanks for the quick reply.

0 Karma