Configure threat intelligence sources in Splunk Enterprise Security

Configure threat intelligence sources to get intelligence data in Splunk Enterprise Security. You can configure sources by activating the intelligence sources included with Splunk Enterprise Security, or by manually adding new sources and then activating them.

Activate an intelligence source

If you want to activate a custom source that's not included with Splunk Enterprise Security, do the following before activating:
Activate intelligence sources to start ingesting intelligence data and using it in your security investigations.

The following threat intelligence sources are activated by default:

  • Mozilla Public Suffix List
  • MITRE ATT&CK Framework
  • ICANN Top-level Domains List
  1. In Splunk Enterprise Security, select Configure and then Threat intelligence.
  2. From the table on the Data sources page, select a source that you want to activate.
  3. For a Cloud source, do the following:
    1. If the source is a premium source, enter any required credentials in the Configurations section. To find the requirements for each available premium intelligence source, see Available premium intelligence sources for Splunk Enterprise Security.
      Note: Sources with a status of Activation stopped require additional action from you to continue ingesting intelligence data. Select the Action required tab to see if any sources stopped activation. Then, deactivate the source and reactivate it with updated credentials.
    2. Select Activate.
  4. For a Native source stored in the Splunk Enterprise Security application, do the following:
    1. In the Configurations section, enter field values that fit your security use case. You can use the URL to the source website to review the source provider's documentation. Each source website provides suggestions for polling intervals and other configuration requirements separate from Splunk Enterprise Security.
      Note:

      Splunk Enterprise Security expects all intelligence sources to provide properly-formatted data and valuable intelligence information. Feed providers are responsible for malformed data or false positives that might be identified in your environment as a result. To see a reference table of the available sources, see Available threat intelligence and generic intelligence sources included in Splunk Enterprise Security

    2. Select the toggle switch to Activate the source.
    3. Select Save changes.
After you activate a source, you can verify its activation Status on the Data sources page.

Deactivate an intelligence source

Deactivate a source to stop Splunk Enterprise Security from ingesting intelligence data from it.
  1. In Splunk Enterprise Security, select Configure and then Threat intelligence.
  2. From the table on the Data sources page, select a source that you want to deactivate.
  3. For a Cloud source, select Deactivate.
  4. For a Native source stored in the Splunk Enterprise Security application, select the toggle switch to Deactivate the source.
    1. Select Save changes.
After you deactivate a source, you can verify its activation Status on the Data sources page.