Set up intelligence workflows in Splunk Mission Control to automate indicator processing
To use Threat Intelligence Management in Splunk Mission Control, you must set up an intelligence workflow. Intelligence workflows are no-code data pipelines designed to automate the extraction, transformation, and sharing of indicators. You can configure intelligence workflows to meet your specific security use case requirements, and you can set up multiple intelligence workflows to pinpoint responses or target data to specific tools in your cybersecurity setup. Intelligence workflows can reduce data wrangling, accelerate intelligence automation, and reduce false positives. Your team can use intelligence workflows to be more efficient and effective while making security decisions. For example, you might want one intelligence workflow to identify common malware indicators while another intelligence workflow ranks and rates IP addresses and domain names.
Each intelligence workflow has three stages that you can customize to meet your needs:
- Workflow details: Enter a custom name for your workflow and select the type of workflow you want to create.
- Intelligence sources: Choose any of the intelligence sources, premium or open source, available to you.
- Transformations: Filter the indicators from those sources by score and indicator type and remove any indicators that are on a specified safelist.
Intelligence workflows gather all the intelligence from the sources, pass it through filters, and transform the results into a destination data repository to store the intelligence data. For example, if the two intelligence sources, Virus Total and Digital Shadows, create 5 and 10 records of observables respectively, then all 15 records enter the pipeline. Subsequently, the 15 records get consolidated into a single indicator of record for IP address of type 22.214.171.124.
Create an intelligence workflow
An intelligence workflow reduces alert volume by supplying a curated list of indicators of compromise (IOCs) to Splunk Mission Control. Create intelligence workflows to filter and transform indicators into a high-fidelity dataset.
To create an intelligence workflow, complete the following steps:
- In Splunk Mission Control, select Content and then Intelligence.
- Select Workflows.
- Select + Workflow.
You can create no more than five intelligence workflows.
- In the Workflow details section, enter a name for your workflow such as Medium and high IP addresses.
- Select a Workflow type such as Indicator prioritization. You can use the indicator prioritization intelligence workflow to filter indicators into a high-fidelity dataset that you can use with third-party tools or other integrations in your cybersecurity environment.
- Select Next.
- In the Intelligence sources section, select the check boxes for the intelligence sources you want to use in the intelligence workflow. The Intelligence sources section displays the list of activated intelligence sources for your organization. If the list is long, you can use the search bar to locate a specific source you want to use. You can also filter the sources by type and select from premium sources, open sources, internal sources, and so on.
You can select no more than 10 intelligence sources for an intelligence workflow.
- (Optional) Change the default weight of an intelligence source using the drop-down list for that source in the Weight column. The weight of an intelligence source represents the trustworthiness of the source. The weight can range between a score of 1 to 5, where 5 indicates that a source is extremely trustworthy. You can assign a weight to each source that you select to provide more customization in the transformations stage. For example, you might know from past experience that one source is closely aligned to the malicious indicators you've seen in past cybersecurity events, so you might want to give that source a higher weight than a source that you started using recently. If you gave Virus Total a score of 3 and Digital Shadows a score of 1, it implies that you want Virus Total to have more influence in the final scoring of the indicators of compromise (IOC).
- Select Next.
- In the Transformations section, select the check boxes for the scores and indicator types you want to include in your workflow. Then select the check boxes for any safelist libraries you want to exclude from your list of prioritized indicators. Safe lists ensure that the workflow removes indicators containing specific terms or phrases.
- (Optional) To add a new safelist library, select + Add safelist library.
- Enter a name.
- Enter each item one by one, or select Add safelist items in bulk to enter a full list of safelist items.
- Select Save.
- Select Create workflow to save the workflow.
After you create an intelligence workflow, you can begin using it in your incident investigations. You can activate only one intelligence workflow at a time in Splunk Mission Control. To learn how to activate a particular intelligence workflow, see Activate a threat intelligence workflow.
Edit and delete intelligence workflows
You can make changes to intelligence workflows after you create them, and you can also remove ones you no longer need. To edit and delete intelligence workflows, complete the following steps:
- Select Content and then Intelligence.
- Select Workflows.
- Locate the workflow you want to edit or delete, and then select the more icon ( ).
- To edit the workflow, select Edit. Then, make your changes and select Save workflow.
- To delete the workflow, select Delete. Then, confirm that you want to delete it by selecting Delete again.
Activate a threat intelligence workflow
To produce intelligence results for incidents, you must activate a particular intelligence workflow to use in Splunk Mission Control. You can select only one intelligence workflow to use at a time.
You must have the sc_admin role to activate an intelligence workflow.
To activate an intelligence workflow to use in Splunk Mission Control, complete the following steps:
- From the Content page in Splunk Mission Control, select Intelligence then Workflows.
- Find the intelligence workflow that you want to activate in the list of workflows, and then select the more icon ( ) for that workflow.
- Select Set as active.
The intelligence data shown in an incident investigation comes from only the intelligence workflow you activate on the Content page in Splunk Mission Control and not from any other intelligence workflows you created.
After you set up an intelligence workflow in Splunk Mission Control and have access to threat intelligence, you can start managing observables and reviewing their priority scores for incidents. See Investigate observables in Splunk Mission Control.
Activate external intelligence sources to enrich incident data in Splunk Mission Control
Investigate observables in Splunk Mission Control
This documentation applies to the following versions of Splunk® Mission Control: Current