Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Example workflows for Threat Intelligence Management in Splunk Mission Control

You can use the following high-level example workflows when creating an intelligence workflow in the Splunk Cloud Console. By creating an intelligence workflow, you can leverage Threat Intelligence Management in Splunk Mission Control. To find details on the stages of intelligence workflows, see Configure intelligence workflows for Splunk Mission Control to automate processing indicators.

Improve detection and reduce false positives

You can use the following high-level example workflow to make more accurate detections and reduce false positives with Threat Intelligence Management.

  1. From the Workflows page of your Splunk Cloud Console, create a new intelligence workflow, or edit an existing one.
  2. For the Sources stage, send the internal event data to Threat Intelligence Management. Use premium intelligence sources and open sources to normalize, score, and prioritize the event data.
  3. For the Transformations stage, prepare and prioritize data to identify malicious indicators.
  4. For the Destinations stage, send indicators and intelligence reports back to the detection tool and reduce false positive rates.

For more details on how to create, edit, or delete an intelligence workflow, see Create intelligence workflows to prioritize indicators.

Enrich data using threat intelligence sources

You can use the following high-level example workflow to enrich data using threat intelligence sources with Threat Intelligence Management.

  1. From the Workflows page of your Splunk Cloud Console, create a new intelligence workflow, or edit an existing one.
  2. For the Sources stage, send internal event data to Threat Intelligence Management to correlate with your historical, premium, and open intelligence sources.
  3. For the Transformations stage, enrich and prioritize events with prepared and normalized data from your intelligence sources.
  4. For the Destinations stage, automate and streamline the exchange of data between Threat Intelligence Management and your case management tools. Use a link to jump to the Threat Intelligence Management web app and view original intelligence reports and correlation with other intelligence sources.

For more details on how to create, edit, or delete an intelligence workflow, see Create intelligence workflows to prioritize indicators.

Last modified on 22 February, 2023
 

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters