Is there anyway to manually import threat intelligence downloads for internal servers (offline from the internet)? Yes, I know that since the system is not connected to the internet, I should not have to worry about external threats. However, we do manually import event data that has come from the outside for our investigations, and I would like to correlate those against threat lists.
Are you using Splunk Enterprise Security? If so, what version?
Splunk Enterprise 6.4.2 with Splunk App for Enterprise Security 4.1.1
For OpenIOC and STIX files there is a location on the SH where you can put the files and they will automagically be loaded.
For other sources you can build a lookup file and then add it as a new source via the Web UI.
See this link for the details: