Intelligence sources in Splunk Intelligence Management
The Splunk Intelligence Management platform combines your internal intelligence data with external sources to provide a holistic view of security threats facing your organization. You can easily compare what you're seeing internally with what others are spotting in the larger world outside your network.
Splunk Intelligence Management can ingest your internal threat intelligence data, extract more than 14 types of observables, and quickly correlate and enrich the data using your own internal sources as well as external sources to identify and prioritize malicious indicators and security threats.
To learn about the different types of intelligence sources available in the Splunk Intelligence Management Marketplace, how to subscribe to the intelligence sources, and how Splunk Intelligence Management downloads intelligence, see the following video: Working with intelligence sources
Internal intelligence sources
Enterprise security teams often overlook the value of internal threat intelligence data. The most valuable intelligence you have is your organization's historical data about previous events in your network security architecture. Not the raw information from network traffic or data logs, but the historical events unique to your enterprise: incident reports, tickets, cases, and suspicious emails. Captured over time, your internal data can reveal patterns and insights unique to your organization.
External intelligence sources
External intel sources provide information about maliciousness through feeds and reports on actors, campaigns, malware based on external knowledge and often proprietary techniques. These external intel sources are useful for calibrating "ground truth" on maliciousness.
Splunk Intelligence Management offers two types of external sources through the Splunk Intelligence Management Marketplace:
- Open sources are available to anyone without any type of access key or subscription fee. These sources include blogs, RSS feeds, and open APIs. Because they are open, they can be less curated and monitored, which can increase the signal-to-noise ratio and provide less value because the burden of data cleanup and analysis largely falls on the end-user.
- Premium Intelligence Sources are closed sources that are available only if you have a commercial relationship (such as a paid license or subscription) or hold membership in a group such as an ISAC/ISAO. These sources are curated and enriched by the organizations and typically provide more value and usable intelligence to the end-user. Splunk Intelligence Management's Premium Intelligence sources included both third-party providers and groups like RH-ISAC.
Premium intelligence sources
Following is a list of premium intelligence sources supported by Splunk intelligence Management:
- Intel 471: Adversary Intelligence
- Intel 471: malware Intelligence
- Intel 471 Alerts
- IBM XForce
- IBM Security SOAR
- AWS GuardDuty
- Cybersource, a VISA solution
- Shape, part of F5
- Bambenek Consulting: Bambenek C2 Domain Feed
- Bambenek Consulting: Bambenek C2 IP Feed
- Bambenek Consulting: Bambenek C2 DGA Domain Feed
- Recorded Future: Vulnerability List
- Cisco: AMP Threat Grid
- Crowdstrike Falcon Detection
- Crowdstrike Falcon Intelligence
- Crowdstrike Falcon Reports
- Alien Vault Open Treat Exchange
- Alien Vault OTX Plus
- RISKIQ Blacklist Lookup
- Digital Shadows
- NCFTA Cyfin
- NCFTA TNT
The information provided by an intelligence source depends on the technology partner's focus. Most intelligence sources' reporting include IP address and URL data, and some include malware-focused information, such as MD5, SHA1, SHA256. The Knowledgebase document for each intelligence source contains specific details on what information is provided by that partner to Splunk Intelligence Management customers.
- Normalized Scoring for IOCs explains how scores for IOCs across different external intelligence sources are converted into a single Splunk Intelligence Management IOC Scoring scale.
- How Intelligence Sources are Updated explains feed-based vs. query-based updates to enclaves.
How intelligence sources are updated
External intelligence sources are classified by the way their information are updated:
- Feed-based: Automatic polling of the source provider for new updates
- Query-based: Submitting a new report and triggering queries to the source provider.
An intelligence source that is feed-based has its enclave automatically and regularly updated by Splunk Intelligence Management. Think of a feed-based source as similar to a news feed; all the information is streamed from the source provider (for example, Alienvault OTX Pulse) into an enclave without any need for you to request updates.
Reports in a feed-based enclave can focus on a single observable but they usually include multiple observables, their relationships to each other, and their relationships to security events or malware or threat-actors.
How it works
When you submit a new report to a private enclave, Splunk Intelligence Management extracts all observables and checks all feed-based enclaves available to you. The information from those enclaves is shown as nodes within an event analysis so that you can easily explore correlations between your own data and the subscribed feeds. You can click on any data point to reveal additional context and links directly to the associated report in a specific enclave.
Updating the enclave
Splunk Intelligence Management queries the partner's data source on a regular basis and updates the enclave with that information. The update interval can be anywhere from 10 minutes to 2 hours to 24 hours, based on how often the partner updates the source data at their end.
An intelligence source that is query-based is only updated when a new report is submitted to any private enclave. Splunk Intelligence Manageent extracts the observables from the report and then requests enrichment from the intel source provider. Information from the source is then added to the intel source enclave and as a correlation to the submitted report.
Query-based source reports usually focus on a single observable and that observable is usually included in the title of the report. A report may contain multiple observables in the report body, usually to provide context about the relationship of those observables to the title (or main) observable.
How it works
When you submit a new report, Splunk Intelligence Management extracts the observables in that report. Those observables are then sent as queries to the partner and the results stored in the enclaves for that intelligence source. For example, if you subscribe to both VirusTotal and AlienVault , then observables from a new report are sent to VirusTotal and Alienvault for enrichment. The information VirusTotal sends back is stored in your VirusTotal (premium source) enclave and the AlienVault information is stored in your AlienVault (premium source) enclave.
The process of extracting the observables from a new report and querying sources can take 15-20 minutes. It can take up to 70 additional minutes for that enrichment to be available to workflow application integrations such as Splunk Intelligence Management's integrations with Splunk Enterprise Security, IBM Resilient, and ServiceNow. This is why those integrations' documentation will mention that best practice is to enrich a Splunk ES notable event 90 minutes after it was initially sent to the user's Splunk ES Notable Events enclave, or re-enrich a Jira / ServiceNow ticket 90 minutes after it was initially created.
Updating the enclave
Query-based enclaves are not automatically updated with new information from sources. Data is only added to these enclaves when a new report is submitted to the private enclave, observables found by Station in that report, sources queried for enrichment, and the sources' responses stored in their enclaves in Station. Note: if a query-based source does not have any information about a particular observable, no report will be created about that observable in the source's enclave. This is sometimes interpreted by the user as Station failing to fetch (query) information from the source about the observable; however, reality is that the source didn't have any information about that data.
Open source intelligence tech specs
Open Source Intelligence does not require any licensing to use. Each source is updated automatically at the frequency shown in the middle column. Open Source Intelligence Enclaves do not include summary tables and attributes are not parsed.
|Intelligence Source||Update Frequency||Indicators Retrieved|
|Abuse.ch IP Blacklist||15 min||IP, MALWARE, URL|
|BroadAnalysis||15 min||DOMAIN, IP|
|Abuse.ch Ransomware||15 min||IP, MALWARE, URL|
|Abuse.ch SSL Blacklist||15 min||IP, MALWARE, URL|
|AIS - DHS||15 min||See List 1 below|
|EU-CERT||15 min||See List 1 below|
|Hail_a_Taxii||60 min||See List 1 below|
|Hybrid Analysis_Public Feed||3 hours||MALWARE, MD5, SHA1, SHA256, URL|
|Infosec Island||15 min||*See list below|
|Internet Storm Center (ISC)||15 min||See List 1 below|
|Malwarebytes||15 min||MALWARE, SOFTWARE|
|NIST NVD||15 min||CVE, IP, Domain, URL|
|PacketStorm||15 min||See List 1 below|
|Unit 42 (Palo Alto Networks)||15 min||See List 1 below|
|US-CERT||15 min||See List 1 below|
List 1 Observables
- BITCOIN ADDRESSES
- CIDR BLOCK
- EMAIL ADDRESS
- REGISTRY KEY
- SHA1 and SHA256
- URL and DOMAIN
Use the redaction library to modify reports
Digital risk and ATO intelligence sources
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current