Overview of threat intelligence in Splunk Enterprise Security
In Splunk Enterprise Security, you can add threat intelligence data to enhance your security monitoring capabilities and enrich investigations with added context. With threat intelligence data, you can correlate known threats and indicators of suspicious activity with your events.
The threat intelligence management system ingests threat intelligence data from external sources and then does the following:
- Feeds Splunk Enterprise Security threat detection searches with intelligence data
- Enriches investigations by displaying intelligence data relevant to the observables found within the fields of an investigation
An observable is a piece of data indicating that an event has occurred or been observed on a computer system, network, or other digital entity. Splunk Enterprise Security records observables, which can be malicious or benign, as part of an investigation. The observables listed in an investigation are entities found in the log traffic by the detection that generated the findings associated with the investigation.
By investigating risk with threat intelligence data, you can better defend against threats, such as advanced persistent threats (APTs) and zero-day threats, and make more informed decisions for your security operations center (SOC).
Splunk Enterprise Security uses the following two systems for storing threat intelligence data:
- Threat intelligence management
- Threat intelligence management (cloud)
With both systems, you can configure threat intelligence sources to get intelligence data. However, the configuration process differs for each system because the threat intelligence management (cloud) system is cloud-based, while the threat intelligence management system resides in the Splunk Enterprise Security application and aggregates data directly into the threat intelligence KV store collections.
You can access the threat intelligence data aggregated by the cloud system by utilizing the threat-matching functionality in Splunk Enterprise Security and the Intelligence page within an investigation. Threat intelligence data shown on the Intelligence page of an investigation is only from the cloud system, and not the threat intelligence management system that resides in the Splunk Enterprise Security app.
Threat intelligence management
To get started with the threat intelligence management system, follow these steps:
- (Optional) Configure proxy server settings in Splunk Enterprise Security
- Configure sources for threat intelligence management
- Turn on threat matching searches in Splunk Enterprise Security
- Modify proxy and parser settings in Splunk Enterprise Security
Threat intelligence management (cloud)
To get started with the threat intelligence management (cloud) system, follow these steps:
Configure forwarders to send Splunk SOAR data to your Splunk deployment | Configure proxy server settings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!