Splunk® Intelligence Management (Legacy)

Welcome to Splunk Intelligence Management

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Security compliance requirements to use Splunk Intelligence Management

Following are the security compliance requirements to use Splunk Intelligence Management:

STIX compliance

Splunk Intelligence Management works with STIX formatted incident reports. Splunk Intelligence Management also ingests data in JSON, XML, CSV, email listservs, and other formats.

Proxy and firewalls

Splunk Intelligence Management is a cloud-based service. Use host name based listing when accessing Splunk Intelligence Management services. The standard host name to add to your allow list or safe list is station.trustar.co.

The station.trustar.co host name points to either of two related host names:

  • station-live.trustar.co points to an Application Load Balancer (ALB), which dynamically associates IP addresses based on traffic load. This means the IP addresses are subject to change automatically, as needed by the ALB.
  • station-down.trustar.co is only used when Splunk Intelligence Management is down for any reason, including maintenance.

You can use a DNS lookup for station.trustar.co to list the current IP addresses in use. You can verify that these addresses have not changed by typing the command host station.trustar.co or host api.trustar.co in a *nix or Macintosh terminal window. These commands display all the resolvable IP addresses for Splunk Intelligence Management 's URLs.

Encryption

Splunk Intelligence Management uses AWS Elastic Load Balancing (ELB) with the security policy "ELBSecurityPolicy-TLS-1-2-2017-01", which supports TLS 1.2. The last proxy, firewall, or gateway appliance in the communication chain between your host, which is calling Splunk Intelligence Management and Splunk Intelligence Management 's ELB must encrypt the communication with TLS 1.2.

Splunk Intelligence Management does not accept requests to connect using either TLS 1.0 or SSL.

Authentication

When connecting to third-party intelligence sources, Splunk Intelligence Management is SOC II compliant.

Some examples of security parameters are as follows:

  • internet-facing web services use strong TLS
  • encrypted administrator connections
  • encrypted remote services
  • HTTPS everywhere
  • encrypted office wifi.

All feeds use an HTTPS-based authentication framework with different types of authentication schemes such as Basic Authentication, OAuth 2.0, Digest and others. This also includes TAXII feeds such as DHS AIS and FS-ISAC.

Data transmission

Data gets encrypted in transit and at rest using industry best practices. Splunk Intelligence Management uses HTTPS to access data with SSL. Splunk Intelligence Management is SOC II compliant.

Last modified on 21 April, 2022
PREVIOUS
Use cases for Splunk Intelligence Management 		  NEXT
What's new in Splunk Intelligence Management

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters