Supported types of threat intelligence in Splunk Enterprise Security
Splunk Enterprise Security supports several types of threat intelligence. The supported types of threat intelligence correspond to the KV Store collections in which the threat intelligence is stored.
The threatlist modular input parses downloaded and uploaded files and adds indicators to these collections. Files can contain any combination of indicators.
Threat collection in KV Store | Supported IOC data types | Local lookup file | Required headers in lookup file with no spaces after commas |
---|---|---|---|
certificate_intel | X509 Certificates | Local Certificate Intel | certificate_issuer,certificate_subject,certificate_issuer_organization,certificate_subject_organization,certificate_serial,certificate_issuer_unit,certificate_subject_unit,description,weight |
email_intel | Local Email Intel | description,src_user,subject,weight | |
file_intel | File names or hashes | Local File Intel | description,file_hash,file_name,weight |
http_intel | URLs | Local HTTP Intel | description,http_referrer,http_user_agent,url,weight |
ip_intel | IP addresses | Local IP Intel | description,ip,weight |
domains | Local Domain Intel | description,domain,weight | |
process_intel | Processes | Local Process Intel | description,process,process_file_name,weight |
registry_intel | Registry entries | Local Registry Intel | description,registry_path,registry_value_name,registry_value_text,weight |
service_intel | Services | Local Service Intel | description,service,service_file_hash,service_dll_file_hash,weight |
user_intel | Users | Local User Intel | description,user,weight |
The collections.conf
file in the DA-ESS-ThreatIntelligence
subdirectory lists these KV Store collections.
The inputs.conf.spec
file in the SA-ThreatIntelligence
subdirectory lists the specifications for headers, such as weight:
weight = <integer> * [Required] * The weight assigned to the intelligence. * Between 1 and 100. * A higher weight will result in higher risk scores for corresponding intelligence matches. * Defaults to 60.
Add threat intelligence to Splunk Enterprise Security | Configure the intelligence sources included with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only
Feedback submitted, thanks!