Splunk® Intelligence Management (Legacy)

Welcome to Splunk Intelligence Management

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Add intelligence to improve data quality using Splunk Intelligence Management

The data management layer of Splunk intelligence Management helps you to combine your internal data with internal and external intelligence sources and provide automated threat intelligence. This helps to improve the quality of information that you exchange between Splunk Intelligence Management and your security tools.

The following figure indicates the various components of the data management layer within the multilayered architecture of Splunk Intelligence Management:

This figure displays the components of the data management layer in Splunk Intelligence Management.

What is internal data?

Internal data is the raw data generated within your organization, such as logs, emails, and network traffic. When you submit the raw data to Splunk Intelligence Management, it gets enriched and shared internally and externally to assist in security investigations and detections. Data submitted to Splunk Intelligence Management starts out as an event. Each event can contain observables.

What is threat intelligence?

Threat Intelligence provides an outside opinion or context to observables, such as maliciousness or attributes. Threat intelligence can include actors, campaigns, malware, Common Vulnerabilities and Exposures (CVEs), and other objects. You can combine external intelligence sources with your internal historical data to label and score internal events or suspicious alerts, which automates the process of investigation and accelerates your response to events.

Maximize the threat intelligence coverage, which is the surface area to which these intelligence sources add labels to unlabeled data in the form of scores or context. You can maximize coverage by choosing the best sources for your organization despite budget constraints.

Splunk Intelligence Management categorizes threat Intelligence into the following types:

  • Premium intelligence sources: Privately maintained sources that require some commercial relationship with the provider or membership in a group, such as an ISAC or ISAO. The providers of these sources are intelligence specialists who curate and disseminate valuable enriched intelligence.
  • Open Sources: Public data that is available to everyone, including blogs, RSS feeds, and open APIs. These sources are less curated and provide less valuable labels such as scores.
  • Internal Intelligence: The organization's curated historical data from incidents and investigations. Internal intelligence can include internally generated reports, closed cases, tickets, phishing emails, and associated tags. Internal intelligence is the most valuable intelligence resource for your security workflow as compared to external sources because they contain the most relevant and approved context. Internal intelligence helps to evaluate observables and events in raw data sources such as logs and network traffic and help to decide how to prioritize such events in the future.


To learn more about the commonly used terminology in Splunk Intelligence Management, see Glossary.

See also

Last modified on 16 March, 2023
PREVIOUS
Automate security operations using Splunk Intelligence Management 		  NEXT
Normalize data from multiple sources using Splunk Intelligence Management

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters