Splunk® Enterprise Security

Administer Splunk Enterprise Security

Available premium intelligence sources for Splunk Enterprise Security

Premium intelligence sources are closed sources that are available only if you have a commercial relationship, such as a paid license or subscription, to a third-party source. Premium intelligence sources also include open with membership sources, or groups that you hold membership in such as an ISAC or ISAO.

Use the following table to find the information required to subscribe to a premium intelligence source:

Intelligence source Description Update type Update frequency Supported observable types Requirements
AbuseIPDB Provides a deny list for IP addresses that have been associated with malicious activity. Query-based 15 minutes
  • IP4
  • A trial or paid subscription with API key
AlienVault OTX Pulse Provides access to community-generated threat data. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • REGISTRY_KEY
  • Alienware OTX subscription
  • Alienware OTX API key
A-ISAC Facilitates the sharing of timely, actionable information related to threats, vulnerabilities,

incidents, potential protective measures, and best practices.

Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • REGISTRY_KEY
  • A-ISAC subscription
  • A-ISAC username
  • A-ISAC password
Bambenek C2 DGA Provides a feed of command and control indicators and monitors malicious networks. Feed-based 60 minutes
  • DOMAIN
  • Bambenek DGA Feed subscription
  • Bambenek DGA Feed API key
Bambenek C2 Domain Provides a feed of command and control domain names and monitors malicious networks. Feed-based 60 minutes
  • DOMAIN
  • Bambenek C2 Domain subscription
  • Bambenek Domain IP Feed API key
  • Bambenek Domain IP Feed API secret
Bambenek C2 IP Provides a feed of command and control IP addresses and monitors malicious networks. Feed-based 60 minutes
  • IP
  • Bambenek C2 IP Feed subscription
  • Bambenek C2 IP Feed API key
  • Bambenek C2 IP Feed API secret
Cisco Secure Malware Analytics Indicators Feed Provides content feeds of curated sets of indicators. Feed-based 10 minutes
  • IP
  • DOMAIN
  • URL
  • SHA256
  • SHA1
  • MD5
  • URL
  • REGISTRY_KEY
  • Cisco Secure Malware Analytics license
  • API key
Cisco Secure Malware Analytics Analysis Feed Provides content feeds of curated sets of indicators. Feed-based 10 minutes
  • IP
  • DOMAIN
  • URL
  • SHA256
  • SHA1
  • MD5
  • URL
  • REGISTRY_KEY
  • Cisco Secure Malware Analytics license
  • API key
Cofense Intelligence Provides accurate alerts about cryptojacking malware and other possible attacks circulating in phishing emails. Feed-based 15 minutes
  • EMAIL_ADDRESS
  • HASH
  • IP
  • URL
  • SOFTWARE
  • Cofense Intelligence subscription
  • API key
  • API secret
Crowdstrike Falcon Intelligence Provides a list of detection IDs based on parameters. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • REGISTRY_KEY
  • Crowdstrike license
  • Access to Crowdstrike Falcon Intelligence
  • API ID and API key for the reports API
  • Client custom region assigned to your license by Crowdstrike
Cyjax Provides threat intelligence covering cyber, physical, and political focuses. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • EMAIL_ADDRESS
  • A paid subscription to Cyjax
  • Cyjax API key
Digital Shadows Provides threat intelligence by combining scalable data analytics with human data analysts to manage and mitigate risks. Feed-based 10 minutes
  • IP
  • URL
  • MD5
  • SHA1
  • Digital Shadows license
  • API key
Dragos Provides actionable insights, analyses, alerts, and reports illuminating malicious activity and relevant recommendations. Feed-based 360 minutes
  • MD5
  • SHA1
  • SHA256
  • IP address
  • URL
  • Software
  • Dragos subscription
  • API key
  • API secret
Flashpoint Indicator Feed Provides intelligence reports, technical data, and uniquely sourced conversations from illicit threat actor communities. Feed-based 15 minutes The Flashpoint REST API is a MISP REST API, so all supported observables reflect thse of MISP. To see a list of supported observables for Flashpoint, see the supported observables for MISP in this table.
  • Flashpoint subscription
  • API key
Flashpoint Reports Feed Provides access to illicit communities including closed, invite-only, and password-protected sources, as well as paste sites, technical data, stolen credentials, and social media sites exploited by threat actors. Feed-based 15 minutes The Flashpoint REST API is a MISP REST API, so all supported observables reflect those of MISP. To see a list of supported observables for Flashpoint, see the supported observables for MISP in this table.
  • Flashpoint subscription
  • API key
FS-ISAC Provides critical cyber-intelligence and builds awareness through alerts, indicators, member insights, threat assessments and analysis. Feed-based 360 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • REGISTRY_KEY
  • FS-ISAC membership
  • API username
  • API password
Intel 471 Adversary Intelligence Provides timely data and context on malware and adversary infrastructure. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • Intel 471 subscription
  • API ID
  • API key
Intel 471 Alerts Provides an actor-centric intelligence collection capability. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • Intel 471 subscription
  • API ID
  • API key
Intel 471 Malware Intelligence Provides a high fidelity and timely indicator feed with rich context, TTP information, and malware intelligence reports. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • Intel 471 subscription
  • API ID
  • API key
Joe Sandbox Feeds Provides analysis reports on malware targeting. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • REGISTRY_KEY
  • Joe Security registration
  • Joe Sandbox Cloud API key
Mandiant Indicators Feed Provides threat intelligence to reduce threats from fast-changing actors, detect emerging attacks, and reduce existing organizational threat risk surface. Feed-based 10 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • REGISTRY_KEY
  • iSight intelligence subscription
  • iSight public key (API ID)
  • iSight private key (API secret)
MISP Gathers, shares, stores and correlates IOCs from targeted attacks, threat intelligence, financial fraud information, vulnerability information, or even counter-terrorism information. You can select up to three MISP sources, Client A, Client B, and Client C, to set up multiple connections to different MISP endpoints. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • PHONE_NUMBER
  • FILENAME
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • REGISTRY_KEY
  • MISP server URL
  • Authentication key
Recorded Future Threat Intelligence Domain Provides a list of up to 100,000 malicious domains with risk scores above 65. Feed-based 1440 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • Recorded Future Premium subscription
  • API key
  • Recorded Future credits for list updates
Recorded Future Threat Intelligence Hash Provides a list of up to 100,000 malicious hashes with risk scores above 65. Feed-based 1440 minutes
  • MD5
  • SHA1
  • SHA256
  • Recorded Future Premium subscription
  • API key
  • Recorded Future credits for list updates
Recorded Future Threat Intelligence IP Provides a list of up to 100,000 malicious IP addresses with risk scores above 65. Feed-based 1440 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • BITCOIN_ADDRESS
  • SOFTWARE
  • EMAIL_ADDRESS
  • REGISTRY_KEY
  • Recorded Future Premium subscription
  • API key
  • Recorded Future credits for list updates
Recorded Future Threat Intelligence URL Provides a list of up to 100,000 malicious URLs with risk scores above 65. Feed-based 1440 minutes
  • DOMAIN
  • URL
  • Recorded Future Premium subscription
  • API key
  • Recorded Future credits for list updates
TAXII v1 Allows users to normalize intelligence from STIX-TAXII supported tools and leverage high-fidelity Indicators within workflow tools. You can select up to three TAXII v1 sources, Client A, Client B, and Client C, to set up multiple connections to different TAXII v1 endpoints. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • REGISTRY_KEY
  • SOFTWARE
  • EMAIL_ADDRESS
  • TAXII server URL
  • API credentials
  • PEM file contents
  • TAXII server collections
TAXii v2 Allows users to normalize intelligence from STIX-TAXII supported tools and leverage high-fidelity Indicators within workflow tools. You can select up to three TAXII v2 sources, Client A, Client B, and Client C, to set up multiple connections to different TAXII v2 endpoints. Feed-based 15 minutes
  • MD5
  • SHA1
  • SHA256
  • IP4
  • IP6
  • DOMAIN
  • URL
  • CIDR_BLOCK
  • REGISTRY_KEY
  • SOFTWARE
  • EMAIL_ADDRESS
  • TAXII server URL
  • API credentials
  • PEM file contents
  • TAXII server collections
Last modified on 30 August, 2024
Comparing open source and premium intelligence sources in Splunk Enterprise Security   Available open intelligence sources for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters