Configure threat lists in Splunk Enterprise Security
Create up to 5 lists of threat-indicators published by your threat intelligence management (cloud) data sources that you want to use in Splunk Enterprise Security threat-matching searches and investigation enrichment.
You can configure threat lists to meet your specific security use case requirements, and you can set up multiple threat lists to pinpoint responses or target data to specific tools in your cybersecurity setup.
Each threat list has three parts that you can customize to meet your needs:
- Threat list details: Enter a custom name for your threat list and select the type of threat list you want to create.
- Intelligence sources: Choose any of the intelligence sources, premium or open source, available to you.
- Filters: Filter the indicators from those sources by score and indicator type and remove any indicators that are on a specified safelist.
Threat indicators that meet your criteria of sources and filters are placed in the appropriate Splunk Enterprise Security threat intelligence KV store collection for use by the threat-matching searches. Any of those indicators seen in your logs are enriched with additional contextual data provided by the intelligence sources.
Create a threat list
A threat list reduces alert volume by supplying a curated list of indicators of compromise (IOCs) to Splunk Enterprise Security. Create threat lists to filter and transform indicators into a high-fidelity dataset.
To create a threat list, complete the following steps:
- In Splunk Enterprise Security, select Configure and then Intelligence.
- In the Threat intelligence management (cloud) section, select Threat lists.
- Select + Threat list.
You can create no more than five threat lists.
- In the Threat list details section, enter a name for your threat list such as Medium and high IP addresses.
- Select a Threat list type such as Indicator prioritization. You can use the indicator prioritization threat list to filter indicators into a high-fidelity dataset that you can use with third-party tools or other integrations in your cybersecurity environment.
- Select Next.
- In the Intelligence sources section, select the check boxes for the intelligence sources you want to use in the threat list. The intelligence sources section displays the list of activated intelligence sources for your organization. If the list is long, you can use the search bar to locate a specific source you want to use. You can also filter the sources by type and select from premium sources or open sources.
You can select no more than 10 intelligence sources for a threat list.
- (Optional) Change the default weight of an intelligence source using the drop-down list for that source in the Weight column. Increasing the weight of a particular source increases the influence that the source's intelligence reporting has on the final priority score that the system calculates for any particular threat indicator.
- Select Next.
- In the Filters section, select the check boxes for the scores and indicator types you want to include in your threat list. Then select the check boxes for any safelist libraries you want to exclude from your list of prioritized indicators. Safe lists ensure that the threat list removes indicators containing specific terms or phrases.
- Select Create threat list.
After you create a threat list, Splunk Enterprise Security monitors its data models for the indicators present in the threat list and enriches any investigation that those indicators are a member of. You can activate only one threat list at a time in Splunk Enterprise Security.
Edit and delete threat lists
You can make changes to threat lists after you create them, and you can also remove ones you no longer need. To edit and delete threat lists, complete the following steps:
- Select Configure and then Intelligence.
- In the Threat intelligence management (cloud) section, select Threat lists.
- Locate the threat list you want to edit or delete, and then select the more icon ( ).
- To edit the threat list, select Edit. Then, make your changes and select Save threat list.
- To delete the threat list, select Delete. Then, confirm that you want to delete it by selecting Delete again.
Activate a threat list
To produce intelligence results for investigations, you must activate a particular threat list to use in Splunk Enterprise Security. You can select only one threat list to use at a time.
To activate a threat list, you must have the edit_intelligence_management capability, which is included with the ess_admin and ess_analyst roles.
To activate a threat list to use in Splunk Enterprise Security, complete the following steps:
- In Splunk Enterprise Security, select Configure then Intelligence.
- In the Threat intelligence management (cloud) section, select Threat lists.
- Find the threat list that you want to activate in the list, and then select the more icon ( ) for that threat list.
- Select Set as active.
The intelligence data shown in investigation comes from only the threat list you activate on the Configure page in Splunk Enterprise Security and not from any other threat lists you created.
After you set up a threat list in Splunk Enterprise Security and have access to threat intelligence, you can start managing observables and reviewing their priority scores for investigations. See Investigate observables related to an investigation in Splunk Enterprise Security.
See also
For more information on threat intelligence management (cloud), see the product documentation:
Add new threat intelligence sources in Splunk Enterprise Security | Modify existing intelligence sources in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!