/services/data/threat_intel/upload
Upload a threat intelligence file in STIX, IOC, or CSV format.
The REST API endpoint only uploads the threat intelligence file. To configure threat intelligence, you must define the [threatlist] stanza in the inputs.conf configuration file. For more information on configuring threat intelligence, see Configure threat lists in Splunk Enterprise Security.
Syntax
https://<host>:<mPort>/services/data/threat_intel/upload
Usage details
For details of how Splunk Enterprise Security processes threat intelligence files, see Intelligence framework in Splunk ES.
POST
Upload a file.
Request parameters
| Field | Type | Default | Description |
|---|---|---|---|
| contentrequired | String | The threat Intelligence file content encoded in base64 format. | |
| filenamerequired | String | The threat intelligence file name, with extension. Format: __threat_<name>.dmy
| |
| overwrite | Boolean | true | If set to true and a file with this name already exists, the API overwrites the file and reports success. If set to false and a file with this name already exists, the API returns an error. |
| max_size | bytes | 524288000 or 500 MB | The maximum size of the file that is uploaded. |
Data payload
A JSON-encoded string with the arguments.
Response
The endpoint returns a success or failure message, with HTTP status codes.
Example request
curl -ku admin:changeme https://localhost:8089/services/data/threat_intel/upload -d '{"filename": "__threat_example.dmy", "overwrite": true, "content": "dGhpcyBpcyBhIHRlc3Q="}' -H "Content-Type: application/json" -X POST
Example response
{"message": "File uploaded successfully.", "success": true, "internal_status": 0}