Upload a STIX or OpenIOC structured threat intelligence file in Splunk Enterprise Security

Upload threat intelligence in a STIX or OpenIOC file to Splunk Enterprise Security using one of the following methods:

• Upload a STIX or OpenIOC file using the Splunk Enterprise Security interface
• Add STIX or OpenIOC files using the REST API
• Add STIX or OpenIOC files using the file system

Upload a STIX or OpenIOC file using the Splunk Enterprise Security interface

Splunk Enterprise Security supports adding OpenIOC, STIX, and CSV file types directly in the Splunk Enterprise Security interface.

1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Uploads.
2. Type a file name for the file you want to upload. The file name you type becomes the name of the file saved to $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel. The file name cannot include spaces or special characters.
3. Upload an OpenIOC or STIX-formatted file.
4. Type a Weight for the threat intelligence file. The weight of a threat intelligence file increases the risk score of objects associated with threat intelligence on this list.
5. (Optional) Type a Threat Category. If you leave this field blank and a category is specified in the OpenIOC or STIX file, Splunk Enterprise Security uses the threat category specified in the file.
6. (Optional) Type a Threat Group. If you leave this field blank and a group is specified in the OpenIOC or STIX file, Splunk Enterprise Security uses the threat group specified in the file.
7. (Optional) Select the Overwrite check box. If you have previously uploaded a file with the same file name, select this check box to overwrite the previous version of the file.
8. (Optional) Select the Sinkhole check box. This deletes the file after the intelligence from the file is processed.
9. Click Save.

Next step

To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.

If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.

Add STIX or OpenIOC files using the REST API

The Splunk Enterprise Security REST API supports uploading threat intelligence files in OpenIOC, STIX, or CSV format. See Threat Intelligence API reference.

Next step

To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.

If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.

Add STIX or OpenIOC files using the file system

You can also add threat intelligence to Splunk Enterprise Security by adding a properly-formatted file to a file system folder.

1. Add a STIX-formatted file with a .xml file extension or an OpenIOC file with a .ioc file extension to the $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel folder on your Splunk Enterprise Security search head or make it available to that file directory on a mounted local network share.
2. By default, the da_ess_threat_local modular input processes those files and places the threat intelligence found in the relevant KV Store collections.
3. By default, after processing the intelligence in the files, the modular input deletes the files because the sinkhole setting is enabled by default.

Change the da_ess_threat_local inputs settings

1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
2. Click the da_ess_threat_local modular input.
3. Review or change the settings as required.

Do not change the default da_ess_threat_default input.

Configure a custom folder and input monitor for threat sources

You can also add threat intelligence to Splunk Enterprise Security by adding a properly-formatted file to a custom file directory. The file directory must match the pattern $SPLUNK_HOME/etc/apps/<app_name>/local/data/<directory_name>, and you must create an input monitor to monitor that file directory for threat intelligence.

Create an input monitor for threat sources to add threat intelligence to a different folder than the one monitored by the da_ess_threat_local modular input.

1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
2. Click New
3. Type a descriptive name for the modular input. The name cannot include spaces.
4. Type a path to the file repository. The file repository must be $SPLUNK_HOME/etc/apps/<app_name>/local/data/<directory_name>
5. (Optional) Type a maximum file size in bytes.
6. (Optional) Select the Sinkhole check box. If selected, the modular input deletes each file in the directory after processing the file.
7. (Optional) Select the Remove Unusable check box. If selected, the modular input deletes a file after processing it if it has no actionable threat intelligence.
8. (Optional) Type a number to use as the default weight for all threat intelligence documents consumed from this directory.

Next step

To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.

If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.