Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Supported types of threat intelligence in Splunk Enterprise Security

Splunk Enterprise Security supports several types of threat intelligence. The supported types of threat intelligence correspond to the KV Store collections in which the threat intelligence is stored.

The threatlist modular input parses downloaded and uploaded files and adds indicators to these collections. Files can contain any combination of indicators.

Threat collection in KV Store Supported IOC data types Local lookup file Required headers in lookup file with no spaces after commas
certificate_intel X509 Certificates Local Certificate Intel
certificate_issuer,certificate_subject,certificate_issuer_organization,certificate_subject_organization,certificate_serial,certificate_issuer_unit,certificate_subject_unit,description,weight
email_intel Email Local Email Intel
description,src_user,subject,weight
file_intel File names or hashes Local File Intel
description,file_hash,file_name,weight
http_intel URLs Local HTTP Intel
description,http_referrer,http_user_agent,url,weight
ip_intel IP addresses Local IP Intel
description,ip,weight
domains Local Domain Intel
description,domain,weight
process_intel Processes Local Process Intel
description,process,process_file_name,weight
registry_intel Registry entries Local Registry Intel
description,registry_path,registry_value_name,registry_value_text,weight
service_intel Services Local Service Intel
description,service,service_file_hash,service_dll_file_hash,weight
user_intel Users Local User Intel
description,user,weight

The collections.conf file in the DA-ESS-ThreatIntelligence subdirectory lists these KV Store collections.

The inputs.conf.spec file in the SA-ThreatIntelligence subdirectory lists the specifications for headers, such as weight:

weight = <integer>
* [Required]
* The weight assigned to the intelligence.
* Between 1 and 100.
* A higher weight will result in higher risk scores for corresponding intelligence matches.
* Defaults to 60.
Last modified on 16 July, 2021
Add threat intelligence to Splunk Enterprise Security   Configure intelligence documents in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters