Splunk® Intelligence Management (Legacy)

Welcome to Splunk Intelligence Management

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use cases for Splunk Intelligence Management

The product architecture of Splunk Intelligence Management focuses on the following use cases:

  • Detect: Make detection workflows more accurate by reducing false positives.
  • Triage: Leverage internal and external sources to identify malicious items while prioritizing new events as they occur.
  • Investigate: Enrich data by searching for indicators across all available sources and deep-dive into source intelligence reports for context.
  • Disseminate: Customize, control, and share intelligence with tools, teams, and communities.

Improve detection workflows to reduce false positives

Use Splunk Intelligence Management to achieve the following goals:

  • Optimize detection workflows for better accuracy.
  • Automate the matching of high-scoring indicators into a SIEM tool and create more efficiency.
  • Customize data ingest preferences to reduce false positive rate.

The following image illustrates how to improve Splunk Intelligence Management detection workflows:

This figure demonstrates how to improve Splunk Intelligence Management detection workflows.

Use the following workflows to improve detection and reduce false positives:

  • Sources: Send the internal event data to Splunk Intelligence Management. Use premium intelligence sources and open sources to normalize, score, and prioritize the event data.
  • Transformations: Prepare and prioritize data to identify malicious Indicators.
  • Destinations: Send indicators and intelligence reports back to the detection tool and reduce false positive rates.

Triage to prioritize events

Use Splunk Intelligence Management to achieve the following goals:

  • Automatically run user-reported emails through the intelligence pipeline.
  • Automatically prioritize events based on normalized scores.
  • Streamline actions by connecting indicators and events with detection, incident review, or orchestration tools.

The following figure illustrates how to prioritize events using Splunk Intelligence Management's optional phishing triage feature:

This figure demonstrates how to prioritize events using Splunk Intelligence Management's phishing triage feature.

Use the following workflows to triage and prioritize events:

  • Sources: Send internal event data to Splunk Intelligence Management and use your intelligence sources to normalize, score, and prioritize events.
  • Transformations: Prepare and prioritize events based on normalized scores.
  • Destinations: Connect indicators and events with detection, incident review, or orchestration tools to streamline defensive actions.

Investigate using enriched data

Use Splunk Intelligence Management to achieve the following goals:

  • Display enriched data from Splunk Intelligence Management in your workflows and applications to provide context as required.
  • One-click access to the web app of Splunk Intelligence Management for deeper link analysis.

The following figure illustrates how to investigate using Splunk Intelligence Management: This figure demonstrates how to investigate using Splunk Intelligence Management.

Use the following workflow to investigate using enriched data:

  • Sources: Send internal event data to Splunk Intelligence Management to correlate with your historical, premium, and open intelligence sources.
  • Transformations: Enrich and prioritize events with prepared and normalized data from your intelligence sources.
  • Destinations: Automate and streamline the exchange of data between Splunk Intelligence Management and your case management tools. Use a link to jump to the Splunk Intelligence Management web app and view original intelligence reports and correlation with other intelligence sources.

Share intelligence to customize data flow

Use Splunk Intelligence Management to achieve the following goals:

  • Customize and control the flow of your data.
  • Validate and share intelligence with the tools, teams, and communities that are essential to your security operations.

The following figure illustrates how to share intelligence using Splunk Intelligence Management: This figure demonstrates how to share intelligence using Splunk Intelligence Management.

Use the following workflows to share intelligence and customize data flow:

  • Sources: Send internal event data to Splunk Intelligence Management to correlate with OSINT and premium intelligence sources.
  • Transformations: Redact and allow list indicators as appropriate and send to approved and community enclaves.
  • Destinations: Share information internally and externally using the workflow applications for Splunk Intelligence Management, managed connectors, REST API, or TAXII infrastructure.
Last modified on 27 June, 2022
PREVIOUS
Unify security operations using the capabilities of Splunk Intelligence Management 		  NEXT
Security compliance requirements to use Splunk Intelligence Management

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters