Supported types of threat intelligence in Splunk Enterprise Security
Splunk Enterprise Security supports several types of threat intelligence. The supported types of threat intelligence correspond to the KV Store collections in which the threat intelligence is stored.
The threatlist modular input parses downloaded and uploaded files and adds indicators to these collections. Files can contain any combination of indicators.
|Threat collection in KV Store||Supported IOC data types||Local lookup file||Required headers in lookup file with no spaces after commas|
|certificate_intel||X509 Certificates||Local Certificate Intel|
|email_intel||Local Email Intel|
|file_intel||File names or hashes||Local File Intel|
|http_intel||URLs||Local HTTP Intel|
|ip_intel||IP addresses||Local IP Intel|
|domains||Local Domain Intel|
|process_intel||Processes||Local Process Intel|
|registry_intel||Registry entries||Local Registry Intel|
|service_intel||Services||Local Service Intel|
|user_intel||Users||Local User Intel|
collections.conf file in the
DA-ESS-ThreatIntelligence subdirectory lists these KV Store collections.
inputs.conf.spec file in the
SA-ThreatIntelligence subdirectory lists the specifications for headers, such as weight:
weight = <integer> * [Required] * The weight assigned to the intelligence. * Between 1 and 100. * A higher weight will result in higher risk scores for corresponding intelligence matches. * Defaults to 60.
Add threat intelligence to Splunk Enterprise Security
Configure the intelligence sources included with Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0