Activate intelligence source integrations from Splunk Mission Control to import threat intelligence data into Threat Intelligence Management
By activating intelligence data source integrations, you can enrich incident data in Splunk Mission Control and also use the threat intelligence data for threat-matching in Splunk Enterprise Security. Activating the data source integrations imports data into the Threat Intelligence Management system, which you can use for data enrichment in both Splunk Mission Control and Splunk Enterprise Security.
To activate intelligence source integrations, complete the following steps:
- In Splunk Mission Control, select the Content page and then Intelligence.
- Select Sources.
- (Optional) To apply a filter, such as Type or Status, to the sources table, select the column header of the field you want to filter by. Not all fields are filterable. You can see sorting and filtering options for a field by selecting the down arrow icon ( ) in the column header. Fields that aren't filterable don't have a filter menu with check boxes.
Many of the intelligence sources are available immediately upon activation, but certain paid and proprietary intelligence sources are only available after validation of API keys and credentials.
- For an open intelligence source, select Activate. To find the provided indicators for each open intelligence source, see Available open intelligence sources for Splunk Mission Control.
- For a premium intelligence source, select Activate.
- Enter the required credentials. To find the requirements for each available premium intelligence source, see Available premium intelligence sources for Splunk Mission Control.
- Select Yes, Confirm to confirm your credentials.
- Repeat the process for all the threat intelligence sources that you want to activate.
- (Optional) To deactivate a source, select the source you want, and then select Deactivate.
If an intelligence source indicates "Activation failed", check for expired API credentials or for an overdue subscription payment. You might need to deactivate the source, enter new credentials, and then activate the source again.
After you activate sources, you can set up an intelligence workflow. See Set up intelligence workflows in Splunk Mission Control to automate indicator processing.
Get started with Threat Intelligence Management in Splunk Mission Control | Set up intelligence workflows in Splunk Mission Control to automate indicator processing |
This documentation applies to the following versions of Splunk® Mission Control: Current
Feedback submitted, thanks!