Splunk® Enterprise Security

Administer Splunk Enterprise Security

Add threat intelligence from Splunk events in Splunk Enterprise Security

You can add threat intelligence from Splunk events to the local threat intelligence lookups.

  1. Write a search that produces threat indicators.
  2. Add | outputlookup local_<threat intelligence type>_intel append=t to the end of the search.

The local_<threat intelligence type>_intel lookup files do not automatically prune themselves. Using append=t in a scheduled search adds to the file until the file is pruned either by some other scheduled search or manually.

If you run a scheduled search at an interval to populate this file for ingestion into the threat intelligence framework, append=f results in the lookup being overwritten each time the scheduled search is run so that you do not have to prune the file manually. Ensure that your scheduled run time is greater than your threat intelligence data source interval if this occurs.

Follow these guidelines to construct the search and leverage the local threat intelligence lookups:

  • Identify the local lookups that serve as threat intelligence documents.
    Navigate to Data Enrichment > Threat Intelligence Management > Sources.
    This lists the available local lookups such as local_ip_intel, local_http_intel, local_file_intel.
  • Edit the fields in the local CSV lookup using Edit Intelligence Document > Fields.
    To identify the fields supported by the lookup, navigate to the collections.conf configuration file: Settings > Lookups > Lookup Definitions and search for the ip_intel lookup.
    All fields supported by the ip_intel lookup are listed in Supported Fields for ip_intel.
  • Alternatively, you can also map the fields in the local CSV lookup to the fields in the ip_intel in the collections.conf file. For example: The following field names are supported by the ip_intel lookup in the collections.conf file:
    • ip
    • domain
    • description
    • address
    • city
    • country
    • postal_code
    • state_prov
    • organization_name
    • organization_id
    • registration_time
    However, the fields in your local CSV lookup are as follows and don't match the fields for ip_intel in the collections.conf file:
    • ip_address
    • domain_name
    • address
    Then, you can map the fields in the local CSV lookup to the format specified for the field names in the collections.conf file as follows: ip:$1, domain:$2, description:$3

You can also, write a search that produces a list of IP addresses that are testing a web server for vulnerabilities and add them to the local_ip_intel lookup to be processed by the modular input and added to the ip_intel KV Store collection.

Next step

To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.

If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.

Last modified on 06 September, 2023
Upload a custom CSV file of threat intelligence in Splunk Enterprise Security   Add and maintain threat intelligence locally in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters