Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Supported types of threat intelligence in Splunk Enterprise Security

Splunk Enterprise Security supports several types of threat intelligence. The supported types of threat intelligence correspond to the KV Store collections in which the threat intelligence is stored.

The threatlist modular input parses downloaded and uploaded files and adds indicators to these collections. Files can contain any combination of indicators.

Threat collection in KV Store Supported IOC data types Local lookup file Required headers in lookup file with no spaces after commas
certificate_intel X509 Certificates Local Certificate Intel
email_intel Email Local Email Intel
file_intel File names or hashes Local File Intel
http_intel URLs Local HTTP Intel
ip_intel IP addresses Local IP Intel
domains Local Domain Intel
process_intel Processes Local Process Intel
registry_intel Registry entries Local Registry Intel
service_intel Services Local Service Intel
user_intel Users Local User Intel

The collections.conf file in the DA-ESS-ThreatIntelligence subdirectory lists these KV Store collections.

The inputs.conf.spec file in the SA-ThreatIntelligence subdirectory lists the specifications for headers, such as weight:

weight = <integer>
* [Required]
* The weight assigned to the intelligence.
* Between 1 and 100.
* A higher weight will result in higher risk scores for corresponding intelligence matches.
* Defaults to 60.
Last modified on 16 July, 2021
Add threat intelligence to Splunk Enterprise Security
Configure the intelligence sources included with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters