Using external intelligence sources provided by threat intelligence management (cloud), you can detect and enrich investigations to automate your security operations and to accelerate your response. You can use external intelligence sources, including open sources and premium sources, to label and score internal events or suspicious alerts.
Threat intelligence management (cloud) records observables, which can be malicious or benign, as part of an investigation. The observables listed in an investigation are entities found in the log traffic by the detection that generated the findings associated with the investigation. You can automatically download observables from external sources into Splunk Enterprise Security KV stores. Then, you can use the observables to alert against internal log events.
Threat intelligence management (cloud) provides context to these observables, such as actors, campaigns, malware, common vulnerabilities and exposures (CVEs), and other objects.
External intelligence sources
External intelligence sources provide information about maliciousness through feeds and reports on actors, campaigns, and malware based on external knowledge. Most intelligence sources report data including IP addresses and URLs, and others report malware-focused information, such as MD5, SHA1, and SHA256. These external intelligence sources can be useful for calibrating on the maliciousness of threats in the context of larger cybersecurity space.
Threat intelligence management (cloud) offers two types of external sources:
| Type of external source | Description |
|---|---|
| Open source | These intelligence sources are available to anyone without any type of access key or subscription fee. These sources include blogs, RSS feeds, and open APIs. Open sources are less curated and monitored, which can increase the signal-to-noise ratio and provide less value because the burden of data cleanup and analysis largely falls on the end user. |
| Premium intelligence source | These intelligence sources are closed sources that are available only if you have a paid license or subscription with a third-party provider or if you hold membership in a group such as an ISAC or ISAO. These sources are curated and enriched by the third-party providers and typically supply more value and usable intelligence to the end user. Threat intelligence management (cloud)'s premium intelligence sources include both third-party providers and groups like FS-ISAC. |
Each external intelligence source falls into one of the following two categories based on how its information updates:
- Feed-based: Automatically polls the external intelligence source provider for new updates.
- Query-based: Submits a new report and sends queries to the external intelligence source provider.
Feed-based external intelligence sources
A feed-based intelligence source automatically and regularly updates because the source provider streams all of the information without the user requesting updates manually. The update interval can be anywhere from 10 minutes to 24 hours.
Reports in a feed-based data repository can focus on a single observable or multiple observables. Reports usually include multiple observables, their relationships to each other, and their relationships to security events, malware, or threat-actors.
Query-based external intelligence sources
An intelligence source that is query-based only updates when threat intelligence management (cloud) submits a new report to a private data repository. Threat intelligence management (cloud) extracts the observables from the report and then requests enrichment from the intelligence source provider. Then, the intelligence source provider adds information from the source as a correlation to the submitted report.
Query-based source reports usually focus on a single observable. Usually, the title of the report includes the name of this observable. A report can contain multiple observables in the report body, usually to provide context about the relationship of those observables to the main observable.
If a query-based source does not have any information about a particular observable, that source's data repository does not create a report about that observable. This does not mean that a station failed to retrieve information from the source about the observable.
See also
For more information on threat intelligence sources, see the product documentation:
| Supported types of threat intelligence in Splunk Enterprise Security | Available premium intelligence sources for Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!