Get started with Threat Intelligence Management in Splunk Mission Control

Threat Intelligence Management is a cloud-native system that provides threat intelligence data to Splunk Mission Control. With Threat Intelligence Management, you can detect, manage, and assess threats by enriching incident data.

Enriching incident data is a process of correlating internal data with intelligence sources and providing additional context to observables. An observable is a piece of data indicating that an event has occurred or been observed on a computer system, network, or other digital entity. Threat Intelligence Management records observables, which can be malicious or benign, as part of an incident. Using this additional context, such as the identity of an attacker, their capabilities and motivation, and indicators of compromise (IOCs), Threat Intelligence Management assigns priority scores to observables. You can investigate the risk posed by observables using priority scores.

By investigating risk with threat intelligence data, you can better defend against threats, such as advanced persistent threats (APTs) and zero-day threats, and make more informed decisions for your security operations center (SOC).

Access intelligence data

You can investigate observables in the Intelligence tab of your incident investigation in Splunk Mission Control. To access intelligence data, you must do the following:

1. Activate intelligence sources. See Activate intelligence source integrations from Splunk Mission Control to import threat intelligence data into Threat Intelligence Management.
2. Create an intelligence workflow. See Create an intelligence workflow.
3. Activate the intelligence workflow you want to use. See Activate a threat intelligence workflow.

After you have access to threat intelligence data, you can start managing observables and reviewing their priority scores.