Download topic as PDF
Refine intelligence reports and indicators in Splunk Intelligence Management
Use the Filter and Refine panel in the Splunk intelligence Management web app to select information such as specific enclaves, dates, and intelligence sources while working with intelligence reports or indicators.
Scroll down to see all the options available to you in the Filter and Refine panel. For example, you can use two or three Open Source intelligence (OSINT) sources. The default view for intelligence reports and indicators is Last 90 Days. You can change the Date Last Seen filter to view all the available results.
Follow these guidelines to navigate the Filter and Refine panel in the Splunk intelligence Management web app:
- Expand or hide a section by using arrows at the top corner of a section.
- Select all items in a section by clicking Select All. Select individual items in a section by clicking on the item so that a checkmark appears, indicating that the item is now selected.
- Select all the items in a section by clicking Select All and click it again to deselect everything in that section.
- View the number of selected filters for each category next to the category name. For example: Premium Intel Feeds (4) means that you have selected four premium Intelligence enclaves that excludes all the other enclaves to which you have access to in that category while you conduct the current investigation.
- Clear all filters by clicking the Reset to Default Filters button at the bottom of the panel.
Persist filters to refine intelligence reports
Selected filters are automatically applied across all searches, intelligence reports, and Indicators. Selecting filters in any of the categories, applies the same filters to all the investigations. For example, Filtering to display only the EU-CERT intelligence in the Reports view, displays only intelligence reports and indicators from EU-CERT and searches using the EU-CERT enclave.
If you search for a specific item and do not see expected results, check the filters to verify the enclaves and date range parameters for the search.
Available filters to refine intelligence reports
Use the following table to identify the different types of filters available in the Filter and Refine panel of Splunk Intelligence Management web app:
| Filter | Description |
|---|---|
| My Enclaves | Filters enclaves that you own or the enclaves that others have shared with you. |
| Premium Intel | Filters using external intelligence sources that require a subscription to access and use. These include premium intelligence and open sources. |
| Open Sources (OSINT) | Filters external intelligence sources that are free to all users. You might have to register with a specific organization to gain access to an enclave. |
| Tags | Filters data using tags with the AND logic. Use the Search bar to find and select relevant tags. |
| MITRE ATT&CK | Filters using MITRE ATT&CK tags. Use the Search bar to find and select relevant tags. See the MITRE ATT&CK website for information on using the MITRE ATT&CK platform and tags. |
| Date Last Seen (Reports) Date Last Seen (Indicators) |
Filters using a range of dates, including one day to a maximum of all available dates. Splunk Intelligence Management defines the maximum date range in the Epoch milliseconds format, starting from Jan. 1st, 1970. |
| IOC type | Filters by Indicators of Compromise (IOC) that determine the extent of an attack and data breached. |
For information on accessing the various features of the Splunk Intelligence Management app, see Overview of the Splunk Intelligence Management web app.
|
PREVIOUS Search intelligence reports and indicators in Splunk Intelligence Management |
NEXT Enable users on Splunk intelligence Management using Okta |
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current
Feedback submitted, thanks!