Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Supported types of threat intelligence in Splunk Enterprise Security

Splunk Enterprise Security supports several types of threat intelligence. The supported types of threat intelligence correspond to the KV Store collections in which the threat intelligence is stored.

The threat intelligence manager modular input parses downloaded and uploaded files and adds indicators to these collections. If you use lookup files, such as uploaded lookup files or the local lookup files listed in the table, then you must separate the indicators by type into the lookup files. Otherwise, the files can contain mixed indicators.

Threat collection in KV Store Supported IOC data types Local lookup file Required headers in lookup file
certificate_intel X509 Certificates Local Certificate Intel
certificate_issuer, certificate_subject, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer_unit, certificate_subject_unit, description, weight
email_intel Email Local Email Intel
description, src_user, subject, weight
file_intel File names or hashes Local File Intel
description, file_hash, file_name, weight
http_intel URLs Local HTTP Intel
description, http_referrer, http_user_agent, url, weight
ip_intel IP addresses Local IP Intel
description, ip, weight
domains Local Domain Intel
description, domain, weight
process_intel Processes Local Process Intel
description, process, process_file_name, weight
registry_intel Registry entries Local Registry Intel
description, registry_path, registry_value_name, registry_value_text, weight
service_intel Services Local Service Intel
description, service, service_file_hash, service_dll_file_hash, weight
user_intel Users Local User Intel
description, user, weight

The collections.conf file in the DA-ESS-ThreatIntelligence subdirectory lists these KV Store collections.

PREVIOUS
Add threat intelligence to Splunk Enterprise Security
  NEXT
Configure the threat intelligence sources included with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters