Example workflows for Threat Intelligence Management in Splunk Mission Control
You can use the following high-level example workflows when creating an intelligence workflow in the Splunk Cloud Console. By creating an intelligence workflow, you can leverage Threat Intelligence Management in Splunk Mission Control. To find details on the stages of intelligence workflows, see Configure intelligence workflows for Splunk Mission Control to automate processing indicators.
Improve detection and reduce false positives
You can use the following high-level example workflow to make more accurate detections and reduce false positives with Threat Intelligence Management.
- From the Workflows page of your Splunk Cloud Console, create a new intelligence workflow, or edit an existing one.
- For the Sources stage, send the internal event data to Threat Intelligence Management. Use premium intelligence sources and open sources to normalize, score, and prioritize the event data.
- For the Transformations stage, prepare and prioritize data to identify malicious indicators.
- For the Destinations stage, send indicators and intelligence reports back to the detection tool and reduce false positive rates.
For more details on how to create, edit, or delete an intelligence workflow, see Create intelligence workflows to prioritize indicators.
Enrich data using threat intelligence sources
You can use the following high-level example workflow to enrich data using threat intelligence sources with Threat Intelligence Management.
- From the Workflows page of your Splunk Cloud Console, create a new intelligence workflow, or edit an existing one.
- For the Sources stage, send internal event data to Threat Intelligence Management to correlate with your historical, premium, and open intelligence sources.
- For the Transformations stage, enrich and prioritize events with prepared and normalized data from your intelligence sources.
- For the Destinations stage, automate and streamline the exchange of data between Threat Intelligence Management and your case management tools. Use a link to jump to the Threat Intelligence Management web app and view original intelligence reports and correlation with other intelligence sources.
For more details on how to create, edit, or delete an intelligence workflow, see Create intelligence workflows to prioritize indicators.
This documentation applies to the following versions of Splunk® Mission Control: Current
Feedback submitted, thanks!