Splunk® Intelligence Management (Legacy)

Developer Guide

Access threat intelligence using the interfaces in Splunk Intelligence Management

Splunk Intelligence Management provides the following interfaces to leverage threat intelligence based on your needs and the tools that you currently use.

  • Splunk Intelligence Management REST API
  • Custom integrations
  • Splunk Intelligence Management web app

Use Splunk Intelligence Management REST API

The REST API supports programmatic access to the full range of capabilities in Splunk Intelligence Management. The REST API offers a set of unified endpoints that you can use to access, clean, and normalize intelligence across multiple sources and send it to specific destinations such as teams, tools, or Splunk Intelligence Management enclaves.

To develop custom scripts or applications, you can select either of following techniques:

  • Query the Splunk Intelligence Management REST API directly
  • Use the Splunk Intelligence Management Python SDK that can interact with the API from any Python program

Use Splunk Intelligence Management custom integrations

Splunk Intelligence Management's REST API integrates with most common categories of workflow tools. The REST API includes bundled API endpoints that streamline the number of API calls you need to run to build powerful and efficient use cases.

The Splunk Intelligence Management Partner Resources portal explains how to use the REST API and integrate with different types of security tools such as * Case Management, SIEM, or SOAR.

Integrate using TAXII

Splunk Intelligence Management also includes a complete TAXII infrastructure built on the REST API. You can use the TAXII infrastructure as a no code seamless, bi-directional integration using a TAXII server or client.

Integrate using third-party tools

Use workflow applications or managed connectors to exchange and enrich intelligence between Splunk Intelligence Management includes and third-party tools.

Integrate using workflow applications

Use third-party response and orchestration applications to detect security events, enrich alerts, investigate incidents, streamline intelligence management, and achieve bi-directional integration. See the Splunk Intelligence Management marketplace for the available workflow applications.

Integrate using managed connectors

Use lightweight plug-ins that provide a one-way connection between Splunk Intelligence Management and a third-party intelligence source or workflow application. Built using the Splunk Intelligence Management unified API, these connectors are available through the Customer Success organization for Splunk Intelligence Management.

Use Splunk Intelligence Management web app

Use the Splunk Intelligence Management web app, a lightweight front-end tool, to do the following tasks:

  • User provisioning
  • Enclave provisioning and permissions management
  • Safelist and redaction library management
  • Workflow setup
  • Data lookup and advanced searches
  • Delete and edit operations

The Splunk Intelligence Management web app also provides a powerful search capability that lets you run searches across all sources of data in enclaves. The search capability is typically used to investigate and view the full context of an original intelligence report about an Indicator or to pivot across multiple sources.

Last modified on 27 June, 2022
Overview of Splunk Intelligence Management custom integrations   Case Management Integrations with REST API v1.3

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters