Premium intelligence sources are closed sources that are available only if you have a commercial relationship, such as a paid license or subscription, to a third-party source. Premium intelligence sources also include open with membership sources, or groups that you hold membership in such as an ISAC or ISAO.
Use the following table to find the information required to subscribe to a premium intelligence source:
Intelligence source | Description | Update type | Update frequency | Supported observable types | Requirements |
---|---|---|---|---|---|
AbuseIPDB | Provides a deny list for IP addresses that have been associated with malicious activity. | Query-based | 15 minutes |
|
|
AlienVault OTX Pulse | Provides access to community-generated threat data. | Feed-based | 15 minutes |
|
|
A-ISAC | Facilitates the sharing of timely, actionable information related to threats, vulnerabilities,
incidents, potential protective measures, and best practices. |
Feed-based | 15 minutes |
|
|
Bambenek C2 DGA | Provides a feed of command and control indicators and monitors malicious networks. | Feed-based | 60 minutes |
|
|
Bambenek C2 Domain | Provides a feed of command and control domain names and monitors malicious networks. | Feed-based | 60 minutes |
|
|
Bambenek C2 IP | Provides a feed of command and control IP addresses and monitors malicious networks. | Feed-based | 60 minutes |
|
|
Cisco Secure Malware Analytics Indicators Feed | Provides content feeds of curated sets of indicators. | Feed-based | 10 minutes |
|
|
Cisco Secure Malware Analytics Analysis Feed | Provides content feeds of curated sets of indicators. | Feed-based | 10 minutes |
|
|
Cofense Intelligence | Provides accurate alerts about cryptojacking malware and other possible attacks circulating in phishing emails. | Feed-based | 15 minutes |
|
|
Crowdstrike Falcon Intelligence | Provides a list of detection IDs based on parameters. | Feed-based | 15 minutes |
|
|
Cyjax | Provides threat intelligence covering cyber, physical, and political focuses. | Feed-based | 15 minutes |
|
|
Digital Shadows | Provides threat intelligence by combining scalable data analytics with human data analysts to manage and mitigate risks. | Feed-based | 10 minutes |
|
|
Dragos | Provides actionable insights, analyses, alerts, and reports illuminating malicious activity and relevant recommendations. | Feed-based | 360 minutes |
|
|
Flashpoint Indicator Feed | Provides intelligence reports, technical data, and uniquely sourced conversations from illicit threat actor communities. | Feed-based | 15 minutes | The Flashpoint REST API is a MISP REST API, so all supported observables reflect thse of MISP. To see a list of supported observables for Flashpoint, see the supported observables for MISP in this table. |
|
Flashpoint Reports Feed | Provides access to illicit communities including closed, invite-only, and password-protected sources, as well as paste sites, technical data, stolen credentials, and social media sites exploited by threat actors. | Feed-based | 15 minutes | The Flashpoint REST API is a MISP REST API, so all supported observables reflect those of MISP. To see a list of supported observables for Flashpoint, see the supported observables for MISP in this table. |
|
FS-ISAC | Provides critical cyber-intelligence and builds awareness through alerts, indicators, member insights, threat assessments and analysis. | Feed-based | 360 minutes |
|
|
Intel 471 Adversary Intelligence | Provides timely data and context on malware and adversary infrastructure. | Feed-based | 15 minutes |
|
|
Intel 471 Alerts | Provides an actor-centric intelligence collection capability. | Feed-based | 15 minutes |
|
|
Intel 471 Malware Intelligence | Provides a high fidelity and timely indicator feed with rich context, TTP information, and malware intelligence reports. | Feed-based | 15 minutes |
|
|
Joe Sandbox Feeds | Provides analysis reports on malware targeting. | Feed-based | 15 minutes |
|
|
Mandiant Indicators Feed | Provides threat intelligence to reduce threats from fast-changing actors, detect emerging attacks, and reduce existing organizational threat risk surface. | Feed-based | 10 minutes |
|
|
MISP | Gathers, shares, stores and correlates IOCs from targeted attacks, threat intelligence, financial fraud information, vulnerability information, or even counter-terrorism information. You can select up to three MISP sources, Client A, Client B, and Client C, to set up multiple connections to different MISP endpoints. | Feed-based | 15 minutes |
|
|
Recorded Future Threat Intelligence Domain | Provides a list of up to 100,000 malicious domains with risk scores above 65. | Feed-based | 1440 minutes |
|
|
Recorded Future Threat Intelligence Hash | Provides a list of up to 100,000 malicious hashes with risk scores above 65. | Feed-based | 1440 minutes |
|
|
Recorded Future Threat Intelligence IP | Provides a list of up to 100,000 malicious IP addresses with risk scores above 65. | Feed-based | 1440 minutes |
|
|
Recorded Future Threat Intelligence URL | Provides a list of up to 100,000 malicious URLs with risk scores above 65. | Feed-based | 1440 minutes |
|
|
TAXII v1 | Allows users to normalize intelligence from STIX-TAXII supported tools and leverage high-fidelity Indicators within workflow tools. You can select up to three TAXII v1 sources, Client A, Client B, and Client C, to set up multiple connections to different TAXII v1 endpoints. | Feed-based | 15 minutes |
|
|
TAXii v2 | Allows users to normalize intelligence from STIX-TAXII supported tools and leverage high-fidelity Indicators within workflow tools. You can select up to three TAXII v2 sources, Client A, Client B, and Client C, to set up multiple connections to different TAXII v2 endpoints. | Feed-based | 15 minutes |
|
|
Comparing open source and premium intelligence sources in Splunk Enterprise Security | Available open intelligence sources for Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!