Splunk® Enterprise Security

Administer Splunk Enterprise Security

Available threat intelligence and generic intelligence sources included in Splunk Enterprise Security

Use the following reference tables for details on the intelligence sources included in Splunk Enterprise Security. These sources are available for users with access to the threat intelligence management system, and not the cloud-hosted system.

Included threat intelligence sources

Splunk Enterprise Security parses threat-indicating entities from the data it obtains from intelligence sources and loads those threat entities into the appropriate KV store collection. The threat-matching searches in Splunk Enterprise Security then monitor the data models in your deployment for those entities.

To see the fields present in each of those KV store collections, see Supported types of threat intelligence in Splunk Enterprise Security.

Threat source Threat list provider Website for the threat source
Emerging Threats compromised IPs blocklist Emerging Threats https://rules.emergingthreats.net/blockrules
Emerging Threats firewall IP rules Emerging Threats https://rules.emergingthreats.net/fwrules
Malware domain host list Hail a TAXII.com http://hailataxii.com
iblocklist Logmein I-Blocklist https://www.iblocklist.com/lists
iblocklist Piratebay I-Blocklist https://www.iblocklist.com/lists
iblocklist Proxy I-Blocklist https://www.iblocklist.com/lists
iblocklist Rapidshare I-Blocklist https://www.iblocklist.com/lists
iblocklist Spyware I-Blocklist https://www.iblocklist.com/lists
iblocklist Tor I-Blocklist https://www.iblocklist.com/lists
iblocklist Web attacker I-Blocklist https://www.iblocklist.com/lists
Phishtank Database Phishtank https://www.phishtank.com/
SANS blocklist SANS https://isc.sans.edu

Some of the feeds might require subscription.

Included generic intelligence sources

Splunk Enterprise Security also includes generic intelligence that is not added to the threat intelligence KV Store collections and is instead used to enrich data in Splunk Enterprise Security.

Data list Data provider Website for data provider
Cisco Umbrella 1 Million Sites Cisco https://umbrella.cisco.com/blog/2016/12/14/cisco-umbrella-1-million/
ICANN Top-level Domains List IANA https://data.iana.org/TLD/
MaxMind GeoIP ASN IPv4 database MaxMind https://dev.maxmind.com/geoip/geoip2/geoip2-anonymous-ip-csv-database/
MaxMind GeoIP ASN IPv6 database MaxMind https://dev.maxmind.com/geoip/geoip2/geoip2-anonymous-ip-csv-database/
Mozilla Public Suffix List Mozilla https://publicsuffix.org
Mitre Att&ck Mitre https://attack.mitre.org/

You can configure the generic intelligence source to use for top one million sites by following these steps:

  1. In Splunk Enterprise Security, select Configure then General and then General settings.
  2. Scroll down to Top 1M Site Source and select Cisco.
Last modified on 26 September, 2024
Available open intelligence sources for Splunk Enterprise Security   Managing security content in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters