Available threat intelligence and generic intelligence sources included in Splunk Enterprise Security
Use the following reference tables for details on the intelligence sources included in Splunk Enterprise Security. These sources are available for users with access to the threat intelligence management system, and not the cloud-hosted system.
Included threat intelligence sources
Splunk Enterprise Security parses threat-indicating entities from the data it obtains from intelligence sources and loads those threat entities into the appropriate KV store collection. The threat-matching searches in Splunk Enterprise Security then monitor the data models in your deployment for those entities.
To see the fields present in each of those KV store collections, see Supported types of threat intelligence in Splunk Enterprise Security.
| Threat source | Threat list provider | Website for the threat source |
|---|---|---|
| Emerging Threats compromised IPs blocklist | Emerging Threats | https://rules.emergingthreats.net/blockrules |
| Emerging Threats firewall IP rules | Emerging Threats | https://rules.emergingthreats.net/fwrules |
| Malware domain host list | Hail a TAXII.com | http://hailataxii.com |
| iblocklist Logmein | I-Blocklist | https://www.iblocklist.com/lists |
| iblocklist Piratebay | I-Blocklist | https://www.iblocklist.com/lists |
| iblocklist Proxy | I-Blocklist | https://www.iblocklist.com/lists |
| iblocklist Rapidshare | I-Blocklist | https://www.iblocklist.com/lists |
| iblocklist Spyware | I-Blocklist | https://www.iblocklist.com/lists |
| iblocklist Tor | I-Blocklist | https://www.iblocklist.com/lists |
| iblocklist Web attacker | I-Blocklist | https://www.iblocklist.com/lists |
| Phishtank Database | Phishtank | https://www.phishtank.com/ |
| SANS blocklist | SANS | https://isc.sans.edu |
Some of the feeds might require subscription.
Included generic intelligence sources
Splunk Enterprise Security also includes generic intelligence that is not added to the threat intelligence KV Store collections and is instead used to enrich data in Splunk Enterprise Security.
| Data list | Data provider | Website for data provider |
|---|---|---|
| Cisco Umbrella 1 Million Sites | Cisco | https://umbrella.cisco.com/blog/2016/12/14/cisco-umbrella-1-million/ |
| ICANN Top-level Domains List | IANA | https://data.iana.org/TLD/ |
| MaxMind GeoIP ASN IPv4 database | MaxMind | https://dev.maxmind.com/geoip/geoip2/geoip2-anonymous-ip-csv-database/ |
| MaxMind GeoIP ASN IPv6 database | MaxMind | https://dev.maxmind.com/geoip/geoip2/geoip2-anonymous-ip-csv-database/ |
| Mozilla Public Suffix List | Mozilla | https://publicsuffix.org |
| Mitre Att&ck | Mitre | https://attack.mitre.org/ |
You can configure the generic intelligence source to use for top one million sites by following these steps:
- In Splunk Enterprise Security, select Configure then General and then General settings.
- Scroll down to Top 1M Site Source and select Cisco.
| Available open intelligence sources for Splunk Enterprise Security | Managing security content in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!