Ingest DarkStrata credential-exposure intelligence into Splunk and Enterprise Security
The DarkStrata Threat Intelligence Add-on for Splunk brings DarkStrata's credential-exposure intelligence directly into Splunk and Splunk Enterprise Security (ES). It provides two modular inputs that pull threat intelligence in STIX 2.1 format, maps it to the Common Information Model, and ships pre-built knowledge objects, correlation searches and adaptive-response actions for your SOC.
Use it to:
| Component | Minimum | Recommended |
|---|---|---|
| Splunk Enterprise | 9.0.0 | Latest 9.x / 10.x |
| Splunk Cloud | Victoria Experience | Latest |
| Splunk Enterprise Security (optional) | 7.0.0 | 7.3+ |
You will also need:
siem:read scopeapi.darkstrata.io (port 443)Enterprise Security is only required for the correlation searches and adaptive-response actions — the modular inputs and CIM mappings work on Splunk Enterprise and Splunk Cloud without ES.
Download the latest TA-darkstrata-x.x.x.tar.gz from the GitHub releases page, then either upload it via Apps > Manage Apps > Install app from file, or install from the command line:
tar -xzf TA-darkstrata-x.x.x.tar.gz -C $SPLUNK_HOME/etc/apps/
$SPLUNK_HOME/bin/splunk restartOpen the add-on's Configuration page and add an account on the Account tab:
https://api.darkstrata.io/v1siem:read scopeThe key is validated against the API when you save, and stored encrypted using Splunk's credential store. Optional Proxy, Performance and Loggingtabs let you configure an HTTP/SOCKS5 proxy, batch size and rate limiting, and the log level.
On the Inputs page, create one or both modular inputs:
| Input | Endpoint | Purpose |
|---|---|---|
| Indicators | /stix/indicators | Streaming credential-exposure indicators (observed-data) |
| Alerts | /stix/alerts | Credential-exposure alert bundles for your monitored assets |
Each input supports:
Events are written in STIX 2.1 JSON under two sourcetypes:
| Sourcetype | Contents |
|---|---|
darkstrata:stix:observed-data | Individual credential-exposure indicators |
darkstrata:stix:alert | Alert bundles (report plus referenced observed-data) |
Fields are mapped to the Authentication and Threat IntelligenceCIM data models, and the add-on ships event types, tags, macros and lookups so the data is ready for search, dashboards and acceleration. Try:
sourcetype=darkstrata:stix:observed-data
| stats count by darkstrata_source_type, darkstrata_flowWhen installed alongside Splunk ES, the add-on adds:
These actions call back to the DarkStrata API over verified TLS, keeping alert state in sync between Splunk and DarkStrata.
The add-on includes sample Splunk SOAR playbooks — credential-exposure triage, auto-acknowledge and alert enrichment — that you can adapt to your own workflows, plus a REST API reference for custom integrations.
siem:read scope and that Splunk has outbound HTTPS access to api.darkstrata.io.For the full API reference and integration guides, see the developer documentation. If you need a hand, our team is happy to help.