Use enclaves to organize your intelligence sources
Enclaves organize all your intelligence sources into a system of cloud-based repositories with strict access controls. These enclaves are flexible and customizable to meet your organization's unique data analysis, sharing, and access control needs.
Types of enclaves
While Enclaves are flexible and each organization can create their own enclave architecture, typical enclaves include but are not limited to the types listed here.
A private Enclave stores your internal data in Splunk Intelligence Management . No one outside of your organization can access your private Enclaves. You can set up multiple Enclaves to meet your needs. For example, you might have one Enclave that stores uploaded lists of IP addresses you have collected from previous investigations and a second Enclave that stores email addresses that your organization has determined are spammers.
You can use one Enclave to store source data and then copy the enriched data to a different (vetted) Enclave and use that Enclave data in your investigations. For example, the Phishing Triage uses a Phishing Enclave to store submitted emails and then copies emails that have been enriched to the Phishing Vetted Indicators Enclave.
Sharing community enclaves
This type of Enclave is shared across ISAC/ISAOs and the intelligence in that Enclave is available to any member of the specified organization.
Splunk Intelligence Management community enclaves
The Splunk Intelligence Management community enclaves are are available to all users, and anyone can submit information to this Enclave. For example, the COVID-19 OSINT Community Enclave was created by Splunk Intelligence Management to aid in identifying bad actors and malicious data related to the COVID-19 pandemic. When copying data from a private enclave to a public enclave, you can choose to redact information to protect the privacy of sources.
Intelligence source enclaves
When you subscribe to an external intelligence source, such as IBM QRadar or FS-ISAC, the intelligence they provide is stored in separate Enclaves, one per source. This enables you to pick and choose the intelligence sources you want to use when conducting investigations.
For more information, see the Intro to Intelligence Sources.
The Filter and Refine panel lists the Enclaves you have access to by type.
|Lists the Enclaves that you own or that have been shared with you by others.
|External intelligence sources that require a subscription to access and use. These include Premium Intelligence and Open Sources.
|Open Sources (OSINT)
|External intelligence sources that are free to all users. You may need to register with a specific organization to gain access to an enclave.
There are no limitations on the amount of data that can be stored in an Enclave.
Splunk Intelligence Management does have a limit of 500 Indicators per event or Intel Report submitted through an internal/external feed. You can use the bulk upload feature to upload, tag, and categorize up to 10,000 Indicators at a time.
Use an auto-safelist to remove URLs and IPs that are not useful
Use the redaction library to modify reports
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current