Splunk® Intelligence Management (Legacy)

Developer Guide


The Splunk Intelligence Management REST API enables you to easily synchronize report information available in Splunk Intelligence Management with the monitoring tools and analysis workflows you use in your infrastructure. All API access is over HTTPS, and all data is transmitted securely in JSON format.

Changes in version 2.0

Version 2.0 introduces some changes from previous versions of the Splunk Intelligence Management REST API:

  • Support for Intel Workflows
  • Introduces the term Submission to cover Intelligence Sources, Events, and Indicators. Some endpoints can be used for any Submission, while other endpoints are specific to one type of Submission, for example, Submission Event endpoints.
  • Replaces Reports with Intelligence
  • Replaces Whitelists with Safelists

Related links

API coverage

The API provides endpoints for these functional areas of the Splunk Intelligence Management platform:

Function Description
Authentication Endpoints for Authentication (API Key and API Secret).
Common Ping command
Enclave Gets a list of Enclaves that the user has permissions to access.
Safelist Endpoints to create a new Safelist library, add or delete entries, and delete a Safelist library. Other endpoints support migrating the Company whitelist to a Safelist library, retrieve a Safelist library by its GUID, parse terms from a chunk of text, and get the list of summaries for the Safelist libraries for your organization.
Indicators Endpoints to search for Indicators and update tags.
Observable Endpoints to get observables in a submission, search for observables, and remove or add tags to an observable.
Submission Endpoints for submissions (Intelligence Sources, Events, or Indicators) that you can use to get status, search, redact text, or alter tags.
Submission Event Endpoints to create, update, upsert, find, or delete Events.
Submission Indicators Endpoints to create, update, upsert, find, or delete Indicators.
Submission Intelligence Endpoints to create, update, upsert, find, or delete Intelligence.
Workflow Endpoints that support Intel Workflow functionality.
Last modified on 16 March, 2023
REST API v1.3  

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters