Splunk® Intelligence Management (Legacy)

User Guide

Use enclaves to organize your intelligence sources

Enclaves organize all your intelligence sources into a system of cloud-based repositories with strict access controls. These enclaves are flexible and customizable to meet your organization's unique data analysis, sharing, and access control needs.

Types of enclaves

While Enclaves are flexible and each organization can create their own enclave architecture, typical enclaves include but are not limited to the types listed here.

Private Enclaves

A private Enclave stores your internal data in Splunk Intelligence Management . No one outside of your organization can access your private Enclaves. You can set up multiple Enclaves to meet your needs. For example, you might have one Enclave that stores uploaded lists of IP addresses you have collected from previous investigations and a second Enclave that stores email addresses that your organization has determined are spammers.

You can use one Enclave to store source data and then copy the enriched data to a different (vetted) Enclave and use that Enclave data in your investigations. For example, the Phishing Triage uses a Phishing Enclave to store submitted emails and then copies emails that have been enriched to the Phishing Vetted Indicators Enclave.

Sharing community enclaves

This type of Enclave is shared across ISAC/ISAOs and the intelligence in that Enclave is available to any member of the specified organization.

Splunk Intelligence Management community enclaves

The Splunk Intelligence Management community enclaves are are available to all users, and anyone can submit information to this Enclave. For example, the COVID-19 OSINT Community Enclave was created by Splunk Intelligence Management to aid in identifying bad actors and malicious data related to the COVID-19 pandemic. When copying data from a private enclave to a public enclave, you can choose to redact information to protect the privacy of sources.

Intelligence source enclaves

When you subscribe to an external intelligence source, such as IBM QRadar or FS-ISAC, the intelligence they provide is stored in separate Enclaves, one per source. This enables you to pick and choose the intelligence sources you want to use when conducting investigations.

For more information, see the Intro to Intelligence Sources.

Selecting enclaves

The Filter and Refine panel lists the Enclaves you have access to by type.

Filter Description
My Enclaves Lists the Enclaves that you own or that have been shared with you by others.
Premium Intel External intelligence sources that require a subscription to access and use. These include Premium Intelligence and Open Sources.
Open Sources (OSINT) External intelligence sources that are free to all users. You may need to register with a specific organization to gain access to an enclave.

Enclave limits

There are no limitations on the amount of data that can be stored in an Enclave.

Splunk Intelligence Management does have a limit of 500 Indicators per event or Intel Report submitted through an internal/external feed. You can use the bulk upload feature to upload, tag, and categorize up to 10,000 Indicators at a time.

Last modified on 21 April, 2022
Use an auto-safelist to remove URLs and IPs that are not useful   Use the redaction library to modify reports

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters