Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Activate intelligence source integrations from Splunk Mission Control to import threat intelligence data into Threat Intelligence Management

By activating intelligence data source integrations, you can enrich incident data in Splunk Mission Control and also use the threat intelligence data for threat-matching in Splunk Enterprise Security. Activating the data source integrations imports data into the Threat Intelligence Management system, which you can use for data enrichment in both Splunk Mission Control and Splunk Enterprise Security.

To activate intelligence source integrations, complete the following steps:

  1. In Splunk Mission Control, select the Content page and then Intelligence.
  2. Select Sources.
  3. (Optional) To apply a filter, such as Type or Status, to the sources table, select the column header of the field you want to filter by. Not all fields are filterable. You can see sorting and filtering options for a field by selecting the down arrow icon ( down arrow icon ) in the column header. Fields that aren't filterable don't have a filter menu with check boxes.

    Many of the intelligence sources are available immediately upon activation, but certain paid and proprietary intelligence sources are only available after validation of API keys and credentials.

  4. For an open intelligence source, select Activate. To find the provided indicators for each open intelligence source, see Available open intelligence sources for Splunk Mission Control.
  5. For a premium intelligence source, select Activate.
    1. Enter the required credentials. To find the requirements for each available premium intelligence source, see Available premium intelligence sources for Splunk Mission Control.
    2. Select Yes, Confirm to confirm your credentials.
  6. Repeat the process for all the threat intelligence sources that you want to activate.
  7. (Optional) To deactivate a source, select the source you want, and then select Deactivate.

If an intelligence source indicates "Activation failed", check for expired API credentials or for an overdue subscription payment. You might need to deactivate the source, enter new credentials, and then activate the source again.

After you activate sources, you can set up an intelligence workflow. See Set up intelligence workflows in Splunk Mission Control to automate indicator processing.

Last modified on 11 March, 2024
PREVIOUS
Get started with Threat Intelligence Management in Splunk Mission Control 		  NEXT
Set up intelligence workflows in Splunk Mission Control to automate indicator processing

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters