You can see threat intelligence data only if your admin has set up Threat Intelligence Management (Cloud) for your organization. For information on configuring Threat Intelligence Management (Cloud), see Overview of threat intelligence in Splunk Enterprise Security.

Review threat intelligence attributes for a finding in Splunk Enterprise Security

If you have access to Threat Intelligence Management (Cloud), you can review threat intelligence attributes associated with a finding in the side panel of the analyst queue. Use threat intelligence attributes to help you determine whether you need to start an investigation based on this finding.

You can find threat intelligence attributes for a finding as you're triaging in the analyst queue. On the Mission Control page of Splunk Enterprise Security, select a finding, and then find the Threat intelligence section in the side panel.

Threat intelligence attributes include threat actors, MITRE tactics, CVEs, and malware associated with one or more observables present in the finding. These attributes are reported by intelligence sources contributing to active threat lists in the Threat Intelligence Management (Cloud) system.

To see a list of finding or investigation fields that can contain observables, see Fields containing observables in Splunk Enterprise Security.

If a finding has multiple observables, and those observables share an attribute value, then that attribute value is listed only once.

Review threat intelligence attributes for a finding in Splunk Enterprise Security

See also

Comments

Review threat intelligence attributes for a finding in Splunk Enterprise Security

Was this topic useful?