Access Threat Intelligence Management in Splunk Mission Control

Threat Intelligence Management is a cloud-native system that provides threat intelligence to Splunk Enterprise Security (Cloud) customers through Splunk Mission Control. With Threat Intelligence Management, you can detect and enrich incident data in Splunk Mission Control by correlating your internal data with internal and external intelligence sources. An intelligence workflow curates and prioritizes indicators of compromise according to your selected filters and prioritization rules. You can create up to 5 intelligence workflows and leverage a maximum of 10 external intelligence sources for each intelligence workflow.

After you receive an email indicating that you have a Threat Intelligence Management tenant on Splunk Cloud Services, you can access Threat Intelligence Management in Splunk Mission Control. For details on Threat Intelligence Management entitlement, see Threat Intelligence Management availability in the Splunk Mission Control Service Description manual.

To get a Threat Intelligence Management tenant and to set up groups, users, and roles, you must be a Splunk Cloud Services admin. As a Splunk Cloud Services admin, you can begin managing your organization's users after you receive an email invitation to do so.

On the Splunk Cloud Services Console homepage:

1. Log in with the account credentials of your Splunk Cloud Services admin user account.
2. Accept your tenant.
3. Select Launch for the Threat Intelligence Management app to set up Threat Intelligence Management sources and workflows before using them in Splunk Mission Control.

Splunk Cloud Services user accounts and their associated authentication credentials are not the same as the user accounts and authentication credentials of the cloud-managed Splunk Enterprise installation.

For information on configuring user permissions in Splunk Mission Control, see Manage roles and capabilities for users of Splunk Mission Control.

Troubleshoot Threat Intelligence Management modular inputs

In Splunk Mission Control, there are two modular inputs used to get intelligence from Threat Intelligence Management. When your organization has an active subscription to Threat Intelligence Management, the two modular inputs, Mission Control - Retrieve IM Indicators and Mission Control - Parse IM indicators, are active by default. To activate a subscription for Threat Intelligence Management, contact your sales representative. To get help with troubleshooting an active subscription, contact support.

Error message: Intelligence modular input is disabled

If you have an active subscription to Threat Intelligence Management, and you see an error message in Splunk Mission Control about deactivated modular inputs, complete the following steps to check for and activate the necessary modular inputs.

1. Select the Settings tab in Splunk Web.
2. In the Data section, select Data inputs.
3. Select Mission Control - Retrieve IM Indicators for the local input.
4. Select Enable in the Status field.
5. Return to the Data inputs page and select Mission Control - Parse IM indicators files.
6. Select Enable in the Status field.

After you activate the modular inputs for Splunk Mission Control, you can access threat object intelligence in the Intelligence tab of your incident investigation. To learn more about what you can do with Threat Intelligence Management, see Assess threats using intelligence data in Splunk Mission Control.