Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Supported types of threat intelligence in Splunk Enterprise Security

Splunk Enterprise Security supports several types of threat intelligence. The supported types of threat intelligence correspond to the KV Store collections in which the threat intelligence is stored.

The threat intelligence manager modular input parses downloaded and uploaded files and adds indicators to these collections. Files can contain any combination of indicators.

Threat collection in KV Store Supported IOC data types Local lookup file Required headers in lookup file with no spaces after commas
certificate_intel X509 Certificates Local Certificate Intel
certificate_issuer,certificate_subject,certificate_issuer_organization,certificate_subject_organization,certificate_serial,certificate_issuer_unit,certificate_subject_unit,description,weight
email_intel Email Local Email Intel
description,src_user,subject,weight
file_intel File names or hashes Local File Intel
description,file_hash,file_name,weight
http_intel URLs Local HTTP Intel
description,http_referrer,http_user_agent,url,weight
ip_intel IP addresses Local IP Intel
description,ip,weight
domains Local Domain Intel
description,domain,weight
process_intel Processes Local Process Intel
description,process,process_file_name,weight
registry_intel Registry entries Local Registry Intel
description,registry_path,registry_value_name,registry_value_text,weight
service_intel Services Local Service Intel
description,service,service_file_hash,service_dll_file_hash,weight
user_intel Users Local User Intel
description,user,weight

The collections.conf file in the DA-ESS-ThreatIntelligence subdirectory lists these KV Store collections.

PREVIOUS
Add threat intelligence to Splunk Enterprise Security
  NEXT
Configure the intelligence sources included with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters