Upload a custom CSV file of threat intelligence in Splunk Enterprise Security
You can add a custom file of threat intelligence to Splunk Enterprise Security. Adding threat intelligence enhances the analysts' security monitoring capabilities and adds context to their investigations. Splunk Enterprise Security supports multiple types of threat intelligence so that you can add your own threat intelligence.
How to format threat intelligence files
You can format the custom CSV file by adding headers for each type of intelligence in the file. The custom file can contain multiple types of intelligence, but you can include headers for each column in the CSV file. See Supported types of threat intelligence in Splunk Enterprise Security for the headers relevant for each type of threat intelligence.
Alternatively, for threat intelligence sources without headers such as "iblocklist_tor", you can use Parsing Options fields in Splunk Enterprise Security to ensure that the CSV file parses successfully. For more information on using parsing options, see Add a URL-based intelligence source.
If you upload a threat intel CSV file, where the headers on the CSV do not map to the headers in the collections.conf
configuration file for various threat collections such as email_intel
, ip_intel
, certificate_intel
, add transforms.conf-style
field settings to the Fields field in the Parsing tab,
For example, for the following CSV file:
foo,bar,baz alpha,bravo,charlie
If the Fields setting is certificate_version:$1,certificate_serial:$3,certificate_subject_unit:$2
, then the resulting data from the certificate_intel
collection is as follows:
certificate_version | certificate_serial | certificate_subject_unit --------------------+--------------------+-------------------------- alpha | charlie | bravo
You must select fields that map to fields in the transforms.conf
configuration file for the various threat collections.
Prerequisites
To upload a custom CSV file for threat intelligence to Splunk Enterprise Security, you must meet the following requirements:
- Identify the threat intelligence file KVstore collection to which to add the intelligence
- identify the required columns in the CSV threat intelligence file
- identify the additional optional columns that the CSV threat intelligence file can include
- identify the information to provide for each column of the CSV threat intelligence file
- identify how to properly format the information in each column of the CSV threat intelligence file
- identify how the values in each column in the CSV threat intelligence file are used in dashboards, search processes, lookups, and so on
Add the custom file to Splunk Enterprise Security
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
- Type a file name for the file you want to upload. The file name you type becomes the name of the file saved to
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups
. The file name cannot include spaces or special characters and is saved in$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups
to ensure that all the search heads in a cluster are synchronized. - Upload the CSV-formatted file.
- Type a Weight for the threat list. The weight of a threat file increases the risk score of objects associated with threat intelligence on this list.
- (Optional) Select the Overwrite check box. If you have previously uploaded a file with the same file name, select this check box to overwrite the previous version of the file.
- (Optional) In the Advanced tab, select the Sinkhole check box. This deletes the file after the intelligence from the file is processed.
- Click Save.
Next step
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Upload a STIX or OpenIOC structured threat intelligence file in Splunk Enterprise Security | Add threat intelligence from Splunk events in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!