Upload a custom CSV file of threat intelligence in Splunk Enterprise Security
You can add a custom file of threat intelligence to Splunk Enterprise Security. If you add threat indicators in a CSV file, they must all be the same type. For example, the file can only include one type of intelligence. If you want to mix types of indicators in one file, create an OpenIOC or STIX file instead using an editor available on the web and follow the instructions to Upload a STIX or OpenIOC structured threat intelligence file in Splunk Enterprise Security.
Identify whether your custom file contains certificate, domain, email, file, HTTP, IP, process, registry, service, or user threat intelligence and make sure that the custom CSV file is properly formatted.
- Select Configure > Data Enrichment > Lists and Lookups.
- Find the lookup file that matches the local threat intel you are providing. For example, Local File Intel.
- Open the relevant lookup to view the required headers.
- Create a new
.csv
file with a header row containing the required fields. - Add the threat data to the
.csv
file.
See Supported types of threat intelligence in Splunk Enterprise Security for the CSV file headers.
Add the custom file to Splunk Enterprise Security.
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Uploads.
- Type a file name for the file you want to upload. The file name you type becomes the name of the file saved to
$SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel
. The file name cannot include spaces or special characters. - Upload the CSV-formatted file.
- Type a Weight for the threat list. The weight of a threat file increases the risk score of objects associated with threat intelligence on this list.
- (Optional) Type a Threat Category.
- (Optional) Type a Threat Group.
- (Optional) Select the Overwrite check box. If you have previously uploaded a file with the same file name, select this check box to overwrite the previous version of the file.
- Click Save.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If needed, you can modify threat intelligence modular input settings to adjust the default file size or other settings. See Modify threat intelligence modular input settings.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Upload a STIX or OpenIOC structured threat intelligence file in Splunk Enterprise Security | Add threat intelligence from Splunk events in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
Feedback submitted, thanks!