Add threat intelligence from Splunk events in Splunk Enterprise Security
You can add threat intelligence from Splunk events to the local threat intelligence lookups.
- Write a search that produces threat indicators.
- Add
| outputlookup local_<threat intelligence type>_intel append=t
to the end of the search.
For example, write a search that produces a list of IP addresses that are testing a web server for vulnerabilities and add them to the local_ip_intel
lookup to be processed by the modular input and added to the ip_intel
KV Store collection.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Upload a custom CSV file of threat intelligence in Splunk Enterprise Security | Add and maintain threat intelligence locally in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!