Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.

You can see threat intelligence data only if your admin has set up Threat Intelligence Management (Cloud) for your organization. For information on configuring Threat Intelligence Management (Cloud), see Overview of threat intelligence in Splunk Enterprise Security.

Fields containing observables in Splunk Enterprise Security

Some findings and investigations have specific fields that contain observables.

For example, a finding that you're triaging might contain one or more observables, such as a URL. If that URL has been reported by intelligence sources in active threat lists from the Threat Intelligence Management (Cloud) system, then you can find any threat intelligence attributes on that URL in the side panel of the analyst queue.

Similarly, investigations can contain observables with added context, such as priority scores, which you can use to advance that investigation and enhance your security monitoring capabilities.

Findings and investigations can contain observables from the following fields:

  • host
  • orig_host
  • dvc
  • dest
  • src
  • src_user
  • user
  • cve
  • dest_dns
  • dest_ip
  • dest_nt_domain
  • dest_nt_host
  • dest_translated_ip
  • dns
  • dvc_dns
  • dvc_ip
  • dvc_nt_host
  • file_hash
  • file_name
  • file_path
  • hash
  • ip
  • nt_host
  • orig_host
  • orig_host_dns
  • orig_host_ip
  • orig_host_nt_host
  • path
  • recipient
  • sender
  • src_dns
  • src_ip
  • src_nt_domain
  • src_nt_host
  • src_user_email
  • src_user_identity
  • src_user_id
  • threat_ip
  • url
  • user_email
  • user_identity
  • user_id
  • threat_source_path
  • risk_object
  • risk_object_type
  • threat_object
  • threat_object_type
  • threat_match_value
  • threat_match_field

Some of these fields require other fields in order for intelligence data to appear in the intelligence tab of an investigation. Those fields are as follows:

  • risk_object requires risk_object_type
  • threat_object requires threat_object_type
  • threat_match_value requires threat_match_field

See also

For more details on threat intelligence in Splunk Enterprise Security, see the product documentation:

Last modified on 28 May, 2025
Investigate observables related to an investigation in Splunk Enterprise Security   Available dashboards in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters