The Splunk Export connector allows you to operationalize Maltiverse threat intelligence in any Splunk deployment — including Splunk Core / Cloud without an Enterprise Security license — by populating a KV Store collection that your correlation searches consume with a single lookup.

Who this connector is for

Splunk Export is the recommended way to consume Maltiverse threat intelligence in any Splunk deployment, but it was specifically designed for customers who run Splunk Core or Splunk Cloud without an Enterprise Security (ES) license.

Out of the box, Splunk only exposes its native Threat Intelligence framework — the one that ingests TAXII feeds and STIX bundles, normalizes them into the threat lookups, and powers ES correlation searches — to customers who have purchased the Enterprise Security premium app.

Splunk Export closes that gap. It writes Maltiverse IoCs directly into a standard KV Store collection, which is available in every Splunk edition (Core, Cloud, Free), and is consumable from any saved search, dashboard, or alert via lookup.

You get the operational outcome of an ES Threat Intel feed — current malicious indicators ready for correlation — without needing an ES license.

If you already run Splunk Enterprise Security, you can keep using Maltiverse via TAXII / MISP into the ES Threat Intelligence framework. If you run Splunk Core / Cloud (or you simply prefer KV Store lookups over the ES threat intel pipeline), the Splunk Export connector is the recommended option. However, both deliver the same Maltiverse intelligence into Splunk searches.

Requirements

Before you start, make sure you have these in place.

• Splunk Enterprise 8.x+, Splunk Cloud, or Splunk Free with KV Store enabled. Enterprise Security is NOT required.
• HTTPS access to the Splunk management API (port 8089). For Splunk Cloud, the host pattern is https://<stack>.splunkcloud.com:8089.
• Outbound connectivity allowed from Maltiverse to your Splunk endpoint (firewall, IP allow-list, VPN if applicable).

Integration overview

Maltiverse repopulates a Splunk KV Store collection on a recurring schedule with the latest IoCs from the feeds you select. Then, your Splunk searches consume the Splunk KV Store collection with a standard lookup to enrich events, drive correlation rules, and trigger alerts.

This is a full-sync connector. Every export run wipes the target collection and writes the current state of your selected feeds. Expired indicators disappear automatically — keeping your blocklist up-to-date without human intervention.

To set up the integration you will need to:

• Retrieve and Auth token from your Splunk instance
• Set up the connector in the Maltiverse Portal

The following section will guide you through the process.

Retrieve the authentication token

Splunk Export authenticates with a bearer token, not a username/password. To create the token in Splunk follow these steps:

1. In Splunk Web, go to Settings > Tokens > Authentication Tokens.

2. Click New Token. Pick a Splunk user that owns the target app namespace (default: search).

3. Set an expiration that matches your security policy. We recommend 90 days with a renewal calendar reminder.

4. Copy the token value and store it somewhere safe — Splunk only shows it once.

The Splunk user behind the token must be able to: list and create KV Store collections, read/write/delete records in those collections, and create transforms.conf lookups in the target app namespace. The pre-built power role is enough for most setups; the user role is not.

Set up the Splunk Connector

Log in to the Maltiverse Portal and follow the instructions below.

1. Navigate to Intelligence > Connectors (1) and locate the Splunk Export connector.

2. Click on Add Splunk Connection.

3. Fill up the form as follows:

• Set up Connection Status as Enabled.
• Provide a descriptive name (e.g. Production SOC Splunk Cloud).
• Paste the Splunk Management URL. It must start with https:// and point to the management port (8089 by default).
• Enter the Auth Token obtained in the Retrieve the authentication token step.
• Verify SSL is ON by default. Disable it only if you sit behind a corporate proxy that re-signs TLS — and accept the security trade-off.
• Pick the Feeds to Export. New connections come pre-loaded with the SIEM-tagged feeds (Phishing, APTs, Malware, C2, Malicious Hostnames, Cybercrime, Malicious URL, Malware Distribution). Add or remove from the dropdown.

4. Once you have filed the necessary data, click Test Connection. You should see a green banner indicating that Maltiverse can reach the management API and your token works.

If Test Connection is unsuccessful, you can still save the configuration and fix the network/auth issue later. Maltiverse keeps the connection in a paused state until the next successful run.

5. Then, click Save. The new connection appears in the Manage Connections table with Online Status (or Pending until the first run).

Key concepts

The following are important considerations for this integration.

Each IoC becomes a row in the KV Store collection. The schema is fixed and includes:

Splunk Export writes records into a Splunk KV Store collection through the management API on port 8089. KV Store is Splunk's lookup-friendly key-value backend; data lands as structured rows that Splunk searches consume via the | lookup command. This is faster, smaller, and easier to correlate than streaming Maltiverse IoCs as HTTP Event Collector (HEC) events would be.

Each export run automatically refreshes the record in the collection following this logic:

• On the first feed of a run, Maltiverse deletes every existing record in the KV Store collection.
• Then it writes the current state of the first feed.
• If the connection has more feeds, it appends each one to the same collection.
• If a previous run wrote 50,000 records and the current run only has 30,000, the collection ends with exactly 30,000 — the others are gone.

Stale block-lists are the most common operational problem with threat intelligence. Full-sync removes the maintenance burden — your Splunk lookup always reflects what Maltiverse considers malicious.

Supported IoC types

The connector exports four indicator families. Anything else in your feeds is silently skipped — only entries with a usable indicator value are written.

• IPv4 addresses — exported under indicator_type=ip.
• Hostnames — exported under indicator_type=hostname.
• URLs — exported under indicator_type=url.
• Samples — file hashes (SHA-256 preferred, MD5 fallback) exported under indicator_type=sample.

By default, Splunk Export runs on an hourly schedule. You can also trigger a run on demand from the connection table (Run icon). Per-feed payloads are capped (typically at 9,999 IoCs per feed) and Splunk-side batches at 1,000 records per request — both are platform defaults you don't manage from the UI.

Use the data in Splunk

After the first run, you can confirm Maltiverse populated the collection. Run this in any Splunk Search & Reporting window:

You should see counts grouped by IP / hostname / URL / sample, and by malicious / suspicious.

Correlation searches

These are the most common patterns. Replace src_ip / dest_host / url / file_hash with the field names your environment uses.

Match outbound IPs against Maltiverse

Match destination hostnames

Match URL fields from proxy / DNS logs

Match file hashes from EDR telemetry

Save these as scheduled searches with notable / alert actions. The KV Store refresh is hourly by default, so a 5-minute alert cadence is plenty fresh for most SOCs.

Best practices

• Use one Splunk connection per Splunk stack. Don't multiplex production and lab into the same KV Store.
• Pick feeds intentionally. Exporting every feed available will inflate the collection and slow down lookups. Start with the SIEM-tagged set and expand only when you have a use case.
• Rotate the auth token periodically. Splunk lets you set an expiration — match it to your secrets policy and put renewal on the calendar before it expires.
• Keep Verify SSL ON for any production stack. Disable only on lab / self-signed environments.
• Name connections clearly. acme-prod-soc beats splunk test1.
• Use | inputlookup for ad-hoc validation, | lookup for production correlations. The first pulls everything; the second is optimized to enrich existing events.
• Combine with Maltiverse Whitelist to reduce false positives, no SPL changes required.

Use cases

The following are some of the most common use cases for this integration.

Threat-intelligence-driven correlation in Splunk Core / Cloud (no ES)

This is the flagship use case. You run Splunk Core or Splunk Cloud without the Enterprise Security license, and you need your correlation searches to flag connections to known-malicious infrastructure.

Splunk Export gives you the possibility to use a continuously refreshed KV Store of threat indicators that any saved search can join with | lookup. You get ES-style detections (notable events, alerts, dashboards) without the need for ES licenses.

• Feeds: C2, Malware Distribution, APTs, Phishing.
• Splunk: Scheduled saved searches that | lookup against firewall, proxy, DNS, EDR logs.
• Action: Alert via email, ticketing, or webhook to your SOAR.

High-confidence malicious-IP alerting

Any inbound or outbound connection to a Maltiverse-malicious IP triggers a high-priority Splunk alert.

• Feeds: C2, Malware Distribution, APTs.
• Splunk: Scheduled search with | lookup against firewall / proxy logs, where classification="malicious".
• Action: Notable / alert, ticket, optional auto-block via SOAR.

Phishing-domain correlation against email logs

Email security gateway logs go through a lookup against the Phishing feed. Anything matched fires a high-priority alert and triggers an O365 / Workspace mailbox search.

MSSP multi-tenant deployment

As an MSSP you can create one Splunk connection per customer Splunk stack. Each connection points to a different management URL and uses its own KV Store collection name (e.g., maltiverse_threat_intel_<customer>) to keep tenant data isolated. Especially valuable when your customers run Splunk Core / Cloud — you can deliver a managed threat-intel-driven detection service without requiring each customer to license ES.

Threat-hunting dashboards

Build a dashboard that sums threat_level over time per asset. Combined with | inputlookup, you get a self-updating panel of what's currently in Maltiverse for your environment without writing any feed-management code.

Whitelisting feedback loop

Pair this connector with the Maltiverse Whitelist feature. When Splunk surfaces a false positive, your analyst whitelists the IoC in Maltiverse — on the next run, the row in maltiverse_threat_intel disappears and the alert stops firing. No code changes, no SPL edits.

Troubleshooting

Status shows Unreachable

Maltiverse couldn't reach Splunk's management API in the last attempt. Check in this order:

1. Splunk URL is HTTPS and reachable from the public internet (or via the Maltiverse allow-list).
2. The auth token is still valid (not rotated, not expired).
3. Your Splunk firewall accepts traffic to port 8089 from Maltiverse.

Test Connection unsuccessful despite valid data

If your Splunk is behind a corporate proxy that re-signs TLS, the chain won't validate. Disable Verify SSL temporarily, save the connection, and run an export. If it succeeds, work with your network team to install the Maltiverse-signed cert chain on the proxy and re-enable verification.

No data in the KV Store after first run

When running into this issue try the following:

1. Check the connection Status — if it's not Online, fix the auth/network problem first.

2. Open the connection and verify the App Namespace matches the app where you're running | inputlookup. A collection in app=search is invisible to a search running in app=enterprise_security.

3. Click Run on the connection row to force an immediate run.

4. In Splunk: | inputlookup maltiverse_threat_intel | head 5 — if it fails, the collection didn't get created.

Splunk reports the collection is too big

This error occurs due to a feed-selection issue. Open the connection and check which feeds are listed under Feeds to Export. Removing one or two broad feeds usually drops the row count by an order of magnitude. The collection refills at the next run.

Auth token rotated and now everything is broken

Edit the connection, paste the new token, click Test Connection, then Save. The next scheduled run will succeed. There is no need to delete and recreate the connection.

FAQ

Why KV Store and not HEC?
HEC is great for streaming events. For threat intelligence — where you want a snapshot of what's currently malicious rather than a stream of things that happened — KV Store is a much better fit. It enables fast | lookup against logs without re-aggregating events, and full-sync semantics keep the snapshot accurate.

Does the connector send data to Splunk Cloud and Splunk Enterprise the same way?
Yes. Both expose the same management API on port 8089 and accept the same bearer-token auth. The only practical difference is the URL pattern — Splunk Cloud has https://<stack>.splunkcloud.com:8089, Splunk Enterprise has whatever your team configured.

How often does it run?
Hourly by default. The schedule is a platform-level setting; if you need a different cadence, contact your Maltiverse account team. You can always trigger a run on demand from the connection table.

Will my Splunk license consumption go up?
Lookups don't consume Splunk daily indexing volume — they live in KV Store, which Splunk does not bill against the indexing license. The only place where ingest volume could go up is if you write your correlation searches to index match results to a new index, which is your own choice.

Can I run multiple Splunk connections in parallel?
Yes. Each connection is independent: its own URL, token, collection, namespace, and feeds. MSSPs and large enterprises with multiple Splunk stacks routinely run 5–10 connections.

Can I customize the schema?
Not from the UI today. The schema is fixed and stable, which makes lookups predictable across customer environments. If you need extra fields, raise it with your account team — recurring requests inform the roadmap.

Is the data encrypted in transit?
Yes. All traffic to the Splunk management API is over HTTPS. SSL verification is on by default.

Do I need Splunk Enterprise Security?
No — and that's the point. Splunk's native Threat Intelligence framework (TAXII / STIX ingestion, threat_* lookups, ES Threat Activity dashboards) ships only with the Enterprise Security premium app. If you run Splunk Core or Splunk Cloud without an ES license, you cannot feed external threat indicators into correlation searches through that framework.

The Splunk Export connector is the supported alternative: it writes Maltiverse IoCs into a standard KV Store collection that any edition of Splunk can consume via | lookup. No ES license, no premium add-on, no custom Python required.

Does it also work with Splunk Enterprise Security?
Yes. The KV Store collection is accessible from any Splunk app, including ES. ES customers who prefer KV Store lookups over the ES Threat Intelligence framework — for example, because they want full-sync semantics or because they already have correlation searches built around | lookup — can use Splunk Export exactly the same way as non-ES customers. You can also run both paths in parallel during a migration.

How do I delete a connection?
Click the trash icon on the row in Manage Connections. The connection is removed from Maltiverse and no further runs are scheduled. The KV Store collection on your Splunk side is not deleted automatically — clean it up in Splunk if you no longer need it.

What roles can manage Splunk Export connections?
The same roles that manage other connectors in your tenant — typically Admin, Platform Leader, and Researcher. Read-only roles can see the connection list but cannot edit or run.