Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Add and maintain threat intelligence locally in Splunk Enterprise Security

Each threat collection has a local lookup file that you can use to manually add threat intelligence.

  1. On the Enterprise Security menu bar, select Configure > Content > Content Management.
  2. Find the local lookup that matches the type of threat indicator you want to add. For example, Local Certificate intel to add information about malicious or spoofed certificates.
  3. Click the lookup name to edit the lookup.
  4. Add indicators to the lookup. Right-click and select Insert Row Below to add new rows as needed.
  5. (Optional) Type a numeric Weight to change the risk score for objects associated with indicators on this threat intelligence source.
  6. Click Save.

Next step

To add another custom threat source, see Add threat intelligence to Splunk Enterprise Security and follow the link that matches the source that you want to add.

If you are finished adding threat intelligence sources, see Verify that you have added threat intelligence successfully in Splunk Enterprise Security.

Last modified on 22 November, 2021
Add threat intelligence from Splunk events in Splunk Enterprise Security   Add threat intelligence with a custom lookup file in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters