Supported types of threat intelligence in Splunk Enterprise Security
Splunk Enterprise Security supports several types of threat intelligence. The supported types of threat intelligence correspond to the KV Store collections in which the threat intelligence is stored.
The threat intelligence manager modular input parses downloaded and uploaded files and adds indicators to these collections. If you use lookup files, such as uploaded lookup files or the local lookup files listed in the table, then you must separate the indicators by type into the lookup files. Otherwise, the files can contain mixed indicators.
|Threat collection in KV Store||Supported IOC data types||Local lookup file||Required headers in lookup file|
|certificate_intel||X509 Certificates||Local Certificate Intel|
certificate_issuer, certificate_subject, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer_unit, certificate_subject_unit, description, weight
|email_intel||Local Email Intel|
description, src_user, subject, weight
|file_intel||File names or hashes||Local File Intel|
description, file_hash, file_name, weight
|http_intel||URLs||Local HTTP Intel|
description, http_referrer, http_user_agent, url, weight
|ip_intel||IP addresses||Local IP Intel|
description, ip, weight
|domains||Local Domain Intel|
description, domain, weight
|process_intel||Processes||Local Process Intel|
description, process, process_file_name, weight
|registry_intel||Registry entries||Local Registry Intel|
description, registry_path, registry_value_name, registry_value_text, weight
|service_intel||Services||Local Service Intel|
description, service, service_file_hash, service_dll_file_hash, weight
|user_intel||Users||Local User Intel|
description, user, weight
collections.conf file in the
DA-ESS-ThreatIntelligence subdirectory lists these KV Store collections.
Add threat intelligence to Splunk Enterprise Security
Configure the threat intelligence sources included with Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
Feedback submitted, thanks!