Add threat intelligence from Splunk events in Splunk Enterprise Security
You can add threat intelligence from Splunk events to the local threat intelligence lookups.
- Write a search that produces threat indicators.
| outputlookup local_<threat intelligence type>_intel append=tto the end of the search.
Follow these guidelines to construct the search and leverage the local threat intelligence lookups:
- Identify the local lookups that serve as threat intelligence documents.
Navigate to Data Enrichment > Threat Intelligence Management > Sources.
This lists the available local lookups such as
- Edit the fields in the local CSV lookup using Edit Intelligence Document > Fields.
To identify the fields supported by the lookup, navigate to the
collections.confconfiguration file: Settings > Lookups > Lookup Definitions and search for the
All fields supported by the
ip_intellookup are listed in Supported Fields for
- Alternatively, you can also map the fields in the local CSV lookup to the fields in the
collections.conffile. For example: The following field names are supported by the
ip_intellookup in the
collections.conffile as follows:
ip:$1, domain:$2, description:$3
You can also, write a search that produces a list of IP addresses that are testing a web server for vulnerabilities and add them to the
local_ip_intel lookup to be processed by the modular input and added to the
ip_intel KV Store collection.
To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.
If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.
Upload a custom CSV file of threat intelligence in Splunk Enterprise Security
Add and maintain threat intelligence locally in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0
Feedback submitted, thanks!