Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Upload a custom CSV file of threat intelligence in Splunk Enterprise Security

You can add a custom file of threat intelligence to Splunk Enterprise Security.


Format the custom CSV file by adding headers for each type of intelligence in the file. The custom file can contain multiple types of intelligence, but you must include headers for each column in the CSV file. See Supported types of threat intelligence in Splunk Enterprise Security for the headers relevant for each type of threat intelligence.

Add the custom file to Splunk Enterprise Security.

  1. On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Uploads.
  2. Type a file name for the file you want to upload. The file name you type becomes the name of the file saved to $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel. The file name cannot include spaces or special characters.
  3. Upload the CSV-formatted file.
  4. Type a Weight for the threat list. The weight of a threat file increases the risk score of objects associated with threat intelligence on this list.
  5. (Optional) Type a Threat Category.
  6. (Optional) Type a Threat Group.
  7. (Optional) Select the Overwrite check box. If you have previously uploaded a file with the same file name, select this check box to overwrite the previous version of the file.
  8. (Optional) Select the Sinkhole check box. This deletes the file after the intelligence from the file is processed.
  9. Click Save.

Next step

To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.

If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.

Last modified on 09 November, 2020
Upload a STIX or OpenIOC structured threat intelligence file in Splunk Enterprise Security
Add threat intelligence from Splunk events in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters