Splunk® Intelligence Management (Legacy)

Developer Guide

Overview of Splunk Intelligence Management custom integrations

You can write custom integrations between your data and the Splunk Intelligence Management platform. You can create integrations for the following types of third-party tools:

  • Detection: Export data from Splunk Intelligence Management into your detection workflow to provide more accurate and timely alerts.
  • Case Management: Automate and streamline the exchange of data between Splunk Intelligence Management and your cybersecurity tools.
  • SOAR: Prioritize suspicious emails by using Splunk Intelligence Management to ingest emails, then extract and score indicators that are then sent to your orchestration workflow.

With any integration, you can also choose to validate, redact, and share information among Splunk Intelligence Management enclaves. This means you can disseminate information to internal teams and industry peers (ISACs/ISAOs) that have access to those enclaves.

Before you begin

  1. Read the Splunk Intelligence Management product overview so that you understand how the platform is structured.
  2. Make sure you have a Splunk Intelligence Management account because you'll need your API key and API secret to build the integration.
  3. Choose the developer tool, either the REST API or Python SDK, you want to use when coding your integration.

To learn how to create and manage users, assign permissions, and collect a user's API keys in Splunk Intelligence Management, see the following video:
Managing users and permissions


Supported functionality

When building an integration with Splunk Intelligence Management, you choose what functionality to include. This may be based on your customer knowledge, the capabilities of your detection tools, or other factors. Two levels of functionality for integrations are defined:

  • Recommended: Provide the most useful functionality for that type of tool. Think of this as "must have" functionality, such as submitting reports to Splunk Intelligence Management and enriching observables.
  • Optional: Functions that enhance the integration but are not essential. For example, you may choose to share observables or reports, but it is not a "must have" for most integrations.

Configuration requirements

Every integration with Splunk Intelligence Management needs to include basic information, including account information, whether or not a proxy is used, and the enclaves that will be accessed by the integration. Verify that you are able to provide the following information:

  • Account settings: Required to ensure the user has a valid Splunk Intelligence Management account.
  • Enclave Settings: For each type of Enclave your integration is using, you must provide a way to specify Enclave IDs.
  • Proxy Settings: If your integration will go through a proxy server to reach the internet, you must provide a way to specify those settings.

Account Settings

Your integration must provide a way for the user to enter three pieces of information:

Enclave settings

Depending on your integration, you can specify any number of enclaves.


Required enclaves

Your integration must specify the location of one or more enclaves where reports or indicators will be stored in Splunk Intelligence Management. Name this field Submission Enclave IDs. Separate multiple enclave IDs with commas, no spaces. See Finding enclave IDs.

You can also provide checkboxes to let the user choose to automatically submit reports and observables to Splunk Intelligence Management.

Optional enclaves

Depending on the integration you are building, you may need to provide fields for additional enclaves.

Optional enclave type Description
Enrichment Enclaves If your integration will enrich observables in an event or report, you need to specify which enclaves can be used for that enrichment. Name this field Enrichment Enclave IDs.

You can also choose to offer an option to automatically enrich observables when they are submitted to Splunk Intelligence Management. Provide a checkbox for automatic submisstion of observables.

Sharing enclaves If your integration allows the user to share observables or reports with other enclaves, you will need to provide one or more enclave IDs where the items can be moved or copied to in Splunk Intelligence Mangement. Name this field Destination Enclave IDs.

When sharing reports, you can offer the user the option to redact information from the reports using the Company Safelist stored in Splunk Intelligence Management. In most cases, this can be a checkbox.

Searching enclaves You can specify one or more Enclave IDs to search for Observables. Name this field Search Enclave IDs. If no Enclave IDs are specified, the commands will search all Enclaves that the user has access to in Splunk Intelligence Management.
Phishing Triage enclaves When using the Phishing Triage workflow, you can set up this functionality within your integration:
  • Activate the Phishing Triage functionality. Name this field Activate Phishing Triage.
  • Specify Phishing Enclave IDs:
    • The Enclave where all phishing emails are submitted to the Phishing Triage workflow. Name this field Phishing Triage Enclave IDs.
    • The Enclave where you store the Indicators that have passed through the Phishing Triage workflow and have been deemed malicious. Name this field Phishing Triage Vetted Indicators Enclave IDs.

Proxy settings

Here's a sample user interface to collect proxy information if the app you are building will use a proxy server to reach the Internet.

This figure a sample user interface to collect proxy information.

Finding your API keys

Follow these steps to find your API Key and API Secret.

  1. In the Splunk intelligence Management Navigation Bar, click User Settings and select Settings from the dropdown menu.
  2. Click API to display the API panel.
  3. Select the checkbox and agree to the "Terms of Use" policy.
  4. Click Generate to generate API information.
    Alternatively, click Regenerate if you must regenerate the API information for any reason.
Last modified on 28 July, 2022
  Access threat intelligence using the interfaces in Splunk Intelligence Management

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters