Splunk® Intelligence Management (Legacy)

User Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage your intelligence reports

Edit, delete, filter, redact, copy, and export your reports.


Copy reports

You can copy intelligence reports into different enclaves. You can edit the report or redact information before you copy the report to a new location. You must be in graph view to copy a report.

Copy a report without modifying any existing data

Use this procedure to copy a Report "as is" with no redaction of data.

  1. Click the three dots in the upper right of the details section. This displays a dropdown menu.
  2. Click Copy Report on the dropdown menu.
  3. In the dialog box, select the Enclave where you want the Report to be copied to. You only see Enclaves where you have submit or higher permissions.
  4. Click Copy to complete the operation.

The Report is immediately copied to the new location. All tags on the report are copied along with the Report details.

Redact and copy a report

Most of the time, you'll want to remove some data from a Report before you share it outside your organization. Use this procedure to redact (remove) information from the Report and then copy it to a new location.

  1. Click the three dots in the upper right of the details section. This displays a dropdown menu.
  2. Click Copy Report on the dropdown menu.
  3. In the dialog box, select the Enclave where you want the Report to be copied to. You only see Enclaves where you have submit or higher permissions.
  4. Select the checkbox for Edit report attributes before copy. You now see the Report information displayed in an edit window, where you can add or remove tags, and edit information.
  5. When you have finished editing the Report information, click Next. This displays a summary of the current data in the Report.
  6. Use the Redacted Terms list on the right to view standard information your organization has previously specified for the Redaction Library. You can also add new terms you want to redact, such as a username or email that may not be in the Redaction Library.
  7. Click Copy to <enclave> to complete the operation.

The Report is immediately copied to the new location. All tags on the Report are copied along with the Report details.

Copy multiple reports

Use the Splunk Intelligence Management API to automate copying multiple reports, both with and without redaction.

Delete a report

To delete a report, you must be in graph view and also have Full Access permissions for the enclave where the report is stored.

  1. Click the three-dot menu in the upper right corner of the Metadata section.
  2. Choose Delete Report from the dropdown menu.
  3. In the dialog box, choose Yes, I'm sure to delete the report.

Export a report to your local machine

You can export a Reports to your local machine. This downloads a file containing the Indicators from the Report and all data sources, including Intelligence Sources, correlated Reports, and community Reports. You can export reports in JSON, STIX, TXT, or FireEye TAP formats.

  1. Make sure you are in graph mode.
  2. While you are looking at the Report in Graph view, click the three dots at the top of the Details pane. This displays a dropdown menu.
  3. Choose the export options you want to use.

The file is immediately downloaded to your local machine.

JSON file format

Data exported in this format:

  • Report ID: Unique identifier generated by the platform for each report
  • Creation timestamp: indicating when the platform created the report
  • Report title
  • timeBegan timestamp: this is the time provided by the user when submitting a report. If user doesn't provide a time the Creation timestamp is used.
  • Status showing if report has been fully Processed
  • Report body
  • Submission source (API or Web)
  • List of extracted IOCs with type and value of each IOC

STIX file format

Data exported in this format:

  • STIX_PACKAGE
  • Report description

TXT file format

Data exported in this format:

  • Report title
  • IOCs extracted
  • Correlated intel

FIREEYE TAP file format

Data exported in this format:

  • Report ID
  • IOCs extracted
  • IOC type
  • Risk

Move a report from one enclave to a different enclave

You can move a report from one enclave to another. This is useful if you are using several private enclaves and want to reorganize them or if a report was submitted to the wrong enclave.

To move a report:

  1. While looking at the Report in Graph view, click the three dots in the upper right of the details section. This displays a dropdown menu.
  2. Click Move Report on the dropdown menu.
  3. In the dialog box, select the enclave where you want to move the Report to. You only see enclaves where you have submit or higher permissions.
  4. Click Move to complete the operation.

The report is immediately moved to the new location.

The Splunk Intelligence Management REST API has a move endpoint that can help automate moving multiple reports.

Redact data from an intelligence report

You can redact terms from an intelligence report before you submit it or you can redact terms in an existing report.

Redacting a new report

When submitting a new Report to Splunk Intelligence Management Station, there are two ways to redact information: redacting individual terms or using your organization's Redaction Library.

To use the Redaction feature, you must select the Apply Redaction slider. The items in your Redaction Library are automatically selected when this slider is green.

Redacting Individual Terms

Your Report data is displayed in the Original Content field. Hovering over those items brings up a "Redact as..." (1) button that you can click to redact the item.

Any item that has been redacted will be red in color and hovering over the item will show the original data that was redacted.

Using the Redaction Library

Alternatively, you can use the Redaction Library shown on the right side of the screen to select or deselect terms to redact.

  1. Highlight text in the Original Content window.
  2. Click the Redact Selected text button on the right. This unfolds to display a list of categories.
  3. Choose the category for the term you want to redact.

That term is added to the Redaction Library. You now see it redacted in the Original Content window.

Redact an existing report

When viewing a Report in graph view, you can make edits to the report information.

  1. Click the three-dot menu in the upper right corner of the Metadata section.
  2. Choose Update Report from the dropdown menu.
  3. Click Next to continue.
  4. You can now redact individual items by following the Using the Redaction Library procedure explained above in this document.
  5. Click Update Report to save your changes.

Tag a report

You can add tags to Intelligence Reports that can then aid in investigations or make filtering and sorting easier for your organization's workflow. .

  1. Click on a report in the Report List view. This opens up the Reports Graph view for that single Report.
  2. Click the plus sign to the right of the word Tags in the Report Metadata section.
  3. In the Manage Enclave Tags dialog box, add the desired tag(s) to the Indicator. Tags are automatically saved as soon as you enter them.
  4. To exit the Manage Enclave Tags popup, click anywhere in the Splunk Intelligence Management window.

The new tags are now displayed just below Tags.

Update an intelligence report

When viewing a report in Graph view, you can make edits to the report information. To update a Report, you must have Full Access permissions for the Enclave where the Report is stored.

  1. Click the three-dot menu in the upper right corner of the Metadata section.
  2. Choose Update Report from the dropdown menu.
  3. Edit the desired information, such as title, dates, tags, or the enclave where the report is stored.
  4. Click Next to continue. This screen shows the edits made and displays a panel on the right where you can redact items in the report. The items in your organization's Redaction Map are automatically selected if the Apply Redaction button is green. You can click into a category below the button to remove specific terms and not redact them in this report.
  5. To email this report to selected addresses, click the Email Incident Report button. For more information, see Emailing a Report.
  6. Click Update Report to save your changes.
Last modified on 21 April, 2022
PREVIOUS
Submit intelligence reports to add data to your enclaves
  NEXT
View indicators to help you find harmful activity

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters