Download topic as PDF
Using external intelligence sources provided by Threat Intelligence Management, you can detect and enrich incident data to automate your investigation process and to accelerate your response to incidents. You can use external intelligence sources, including open sources and premium sources, to label and score internal events or suspicious alerts.
Threat Intelligence Management records observables, which can be malicious or benign, as part of an incident. An observable is a piece of data indicating that an event that has occurred or been observed on a computer system, network, or other digital entity. You can automatically download observables from external sources into Splunk Enterprise Security KV stores. Then, you can use the observables to alert against internal log events.
Threat Intelligence Management provides context to these observables, such as actors, campaigns, malware, common vulnerabilities and exposures (CVEs), and other objects.
External intelligence sources
External intelligence sources provide information about maliciousness through feeds and reports on actors, campaigns, and malware based on external knowledge. Most intelligence sources report data including IP addresses and URLs, and others report malware-focused information, such as MD5, SHA1, and SHA256. These external intelligence sources can be useful for calibrating on the maliciousness of threats in the context of larger cybersecurity space.
Threat Intelligence Management offers two types of external sources:
| Type of external source | Description |
|---|---|
| Open source | These intelligence sources are available to anyone without any type of access key or subscription fee. These sources include blogs, RSS feeds, and open APIs. Open sources are less curated and monitored, which can increase the signal-to-noise ratio and provide less value because the burden of data cleanup and analysis largely falls on the end user. |
| Premium intelligence source | These intelligence sources are closed sources that are available only if you have a paid license or subscription with a third-party provider or if you hold membership in a group such as an ISAC or ISAO. These sources are curated and enriched by the third-party providers and typically supply more value and usable intelligence to the end user. Threat Intelligence Management's premium intelligence sources include both third-party providers and groups like FS-ISAC. |
External intelligence sources can fall into one of the following two categories based on how its information updates:
- Feed-based: Automatically polls the external intelligence source provider for new updates.
- Query-based: Submits a new report and sends queries to the external intelligence source provider.
In Splunk Mission Control, all external intelligence sources are feed-based.
Feed-based sources
A feed-based intelligence source automatically and regularly updates because the source provider streams all of the information without the user requesting updates manually. The update interval can be anywhere from 10 minutes to 24 hours.
Reports in a feed-based data repository can focus on a single observable or multiple observables. Reports usually include multiple observables, their relationships to each other, and their relationships to security events, malware, or threat-actors.
See also
You can use intelligence sources to enrich incident data in Splunk Mission Control by activating the sources you want to use. See Activate intelligence source integrations from Splunk Mission Control to import threat intelligence data into Threat Intelligence Management.
|
PREVIOUS Investigate observables in Splunk Mission Control |
NEXT Troubleshoot Threat Intelligence Management in Splunk Mission Control |
This documentation applies to the following versions of Splunk® Mission Control: Current
Feedback submitted, thanks!