Upload a STIX or OpenIOC structured threat intelligence file in Splunk Enterprise Security
Upload threat intelligence in a STIX or OpenIOC file to Splunk Enterprise Security using one of the following methods:
- Upload a STIX or OpenIOC file using the Splunk Enterprise Security interface
- Add STIX or OpenIOC files using the REST API
- Add STIX or OpenIOC files using the file system
Upload a STIX or OpenIOC file using the Splunk Enterprise Security interface
Splunk Enterprise Security supports adding OpenIOC, STIX, and CSV file types directly in the Splunk Enterprise Security interface.
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Uploads.
- Type a file name for the file you want to upload. The file name you type becomes the name of the file saved to
$SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel
. The file name cannot include spaces or special characters. - Upload an OpenIOC or STIX-formatted file.
- Type a Weight for the threat intelligence file. The weight of a threat intelligence file increases the risk score of objects associated with threat intelligence on this list.
- (Optional) Type a Threat Category. If you leave this field blank and a category is specified in the OpenIOC or STIX file, Splunk Enterprise Security uses the threat category specified in the file.
- (Optional) Type a Threat Group. If you leave this field blank and a group is specified in the OpenIOC or STIX file, Splunk Enterprise Security uses the threat group specified in the file.
- (Optional) Select the Overwrite check box. If you have previously uploaded a file with the same file name, select this check box to overwrite the previous version of the file.
- Click Save.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Add STIX or OpenIOC files using the REST API
The Splunk Enterprise Security REST API supports uploading threat intelligence files in OpenIOC, STIX, or CSV format. See Threat Intelligence API reference.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Add STIX or OpenIOC files using the file system
You can also add threat intelligence to Splunk Enterprise Security by adding a properly-formatted file to a file system folder.
- Add a STIX-formatted file with a
.xml
file extension or an OpenIOC file with a.ioc
file extension to the$SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel
folder on your Splunk Enterprise Security search head or make it available to that file directory on a mounted local network share. - By default, the
da_ess_threat_local
modular input processes those files and places the threat intelligence found in the relevant KV Store collections. - By default, after processing the intelligence in the files, the modular input deletes the files because the sinkhole setting is enabled by default.
Modify threat intelligence modular input settings
Modify threat intelligence modular input settings to make changes to the maximum file size you can upload, whether or not to remove unusable files, or delete files after processing.
Change the da_ess_threat_local inputs settings
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
- Click the
da_ess_threat_local
modular input. - (Optional) Type a maximum file size in bytes.
- (Optional) Select the Sinkhole check box. If selected, the modular input deletes each file in the directory after processing the file.
- (Optional) Select the Remove Unusable check box. If selected, the modular input deletes a file after processing it if it has no actionable threat intelligence.
- Click Save.
Do not change the default da_ess_threat_default
input.
Configure a custom folder and input monitor for threat sources
You can also add threat intelligence to Splunk Enterprise Security by adding a properly-formatted file to a custom file directory. The file directory must match the pattern $SPLUNK_HOME/etc/apps/<app_name>/local/threat_intel
, and you must create an input monitor to monitor that file directory for threat intelligence.
Create an input monitor for threat sources to add threat intelligence to a different folder than the one monitored by the da_ess_threat_local modular input.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
- Click New
- Type a descriptive name for the modular input. The name cannot include spaces.
- Type a path to the file repository. The file repository must be
$SPLUNK_HOME/etc/apps/<app_name>/local/threat_intel
- (Optional) Type a maximum file size in bytes.
- (Optional) Select the Sinkhole check box. If selected, the modular input deletes each file in the directory after processing the file.
- (Optional) Select the Remove Unusable check box. If selected, the modular input deletes a file after processing it if it has no actionable threat intelligence.
- (Optional) Type a number to use as the default weight for all threat intelligence documents consumed from this directory.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Download a threat intelligence feed from the Internet in Splunk Enterprise Security | Upload a custom CSV file of threat intelligence in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
Feedback submitted, thanks!