Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Supported types of threat intelligence in Splunk Enterprise Security

Splunk Enterprise Security supports several types of threat intelligence. The supported types of threat intelligence correspond to the KV Store collections in which the threat intelligence is stored.

The threat intelligence manager modular input parses downloaded and uploaded files and adds indicators to these collections. If you use lookup files, such as uploaded lookup files or the local lookup files listed in the table, then you must separate the indicators by type into the lookup files. Otherwise, the files can contain mixed indicators.

Threat collection in KV Store Supported IOC data types Local lookup file Required headers in lookup file
certificate_intel X509 Certificates Local Certificate Intel 
certificate_issuer, certificate_subject, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer_unit, certificate_subject_unit, description, weight
email_intel Email Local Email Intel 
description, src_user, subject, weight
file_intel File names or hashes Local File Intel 
description, file_hash, file_name, weight
http_intel URLs Local HTTP Intel 
description, http_referrer, http_user_agent, url, weight
ip_intel IP addresses Local IP Intel 
description, ip, weight
domains Local Domain Intel 
description, domain, weight
process_intel Processes Local Process Intel 
description, process, process_file_name, weight
registry_intel Registry entries Local Registry Intel 
description, registry_path, registry_value_name, registry_value_text, weight
service_intel Services Local Service Intel 
description, service, service_file_hash, service_dll_file_hash, weight
user_intel Users Local User Intel 
description, user, weight

The collections.conf file in the DA-ESS-ThreatIntelligence subdirectory lists these KV Store collections.

Last modified on 09 December, 2017
Add threat intelligence to Splunk Enterprise Security   Configure the threat intelligence sources included with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters