Splunk® Enterprise Security

Administer Splunk Enterprise Security

Overview of threat intelligence in Splunk Enterprise Security

In Splunk Enterprise Security, you can add threat intelligence data to enhance your security monitoring capabilities and enrich investigations with added context. With threat intelligence data, you can correlate known threats and indicators of suspicious activity with your events.

The threat intelligence management system ingests threat intelligence data from external sources and then does the following:

  • Feeds Splunk Enterprise Security threat detection searches with intelligence data
  • Enriches investigations by displaying intelligence data relevant to the observables found within the fields of an investigation

An observable is a piece of data indicating that an event has occurred or been observed on a computer system, network, or other digital entity. Splunk Enterprise Security records observables, which can be malicious or benign, as part of an investigation. The observables listed in an investigation are entities found in the log traffic by the detection that generated the findings associated with the investigation.

By investigating risk with threat intelligence data, you can better defend against threats, such as advanced persistent threats (APTs) and zero-day threats, and make more informed decisions for your security operations center (SOC).

Splunk Enterprise Security uses the following two systems for storing threat intelligence data:

  • Threat intelligence management
  • Threat intelligence management (cloud)

With both systems, you can configure threat intelligence sources to get intelligence data. However, the configuration process differs for each system because the threat intelligence management (cloud) system is cloud-based, while the threat intelligence management system resides in the Splunk Enterprise Security application and aggregates data directly into the threat intelligence KV store collections.

You can access the threat intelligence data aggregated by the cloud system by utilizing the threat-matching functionality in Splunk Enterprise Security and the Intelligence page within an investigation. Threat intelligence data shown on the Intelligence page of an investigation is only from the cloud system, and not the threat intelligence management system that resides in the Splunk Enterprise Security app.

Threat intelligence management

To get started with the threat intelligence management system, follow these steps:

  1. (Optional) Configure proxy server settings in Splunk Enterprise Security
  2. Configure sources for threat intelligence management
  3. Turn on threat matching searches in Splunk Enterprise Security
  4. Modify proxy and parser settings in Splunk Enterprise Security


Threat intelligence management (cloud)

To get started with the threat intelligence management (cloud) system, follow these steps:

  1. Configure cloud-hosted threat intelligence data source integrations
  2. Configure threat lists in Splunk Enterprise Security
  3. Create and manage safelist libraries in Splunk Enterprise Security
Last modified on 03 October, 2024
Configure forwarders to send Splunk SOAR data to your Splunk deployment   Configure proxy server settings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters