Splunk® Intelligence Management (Legacy)

User Guide

Tag, bulk upload, export, and safelist indicators

Indicators are critical to making accurate decisions throughout the investigative workflow, but effectively managing large numbers of them can be a daunting challenge. Splunk Intelligence Management streamlines Indicator management throughout the entire workflow, with support for:

  • Tagging Indicators
  • Bulk uploading up to 10,000 Indicators, including additional context data
  • Exporting Indicators
  • Safelisting Indicators

Tag indicators

You can add tags to Indicators to aid in investigations or to make filtering and sorting easier for your organization's workflow.

  • Click on an item in the IOC list view. This opens up the Graph view for that item.
  • Click the plus sign to the right of the word Tags in the Details panel.
  • In the Manage Indicator Tags dialog box, add the desired tag(s) to the Indicator. Tags are automatically saved as soon as you enter them.
  • To exit the Manage Indicator Tags popup, click anywhere in the Splunk Intelligence Management window.

The new tags are now displayed just below Tags.

Upload indicators

You can upload and submit Indicators to Splunk Intelligence Management Station using any of the following methods:

  • Use the Splunk Intelligence Management API
  • Use Splunk Intelligence Management Station to a simple list of Indicators
  • Use Splunk Intelligence Management Station to upload a list of Indicators and related information.

Uploading with the API

Follow the API guide: https://docs.splunk.com/Documentation/SIM/current/Develop/RESTv20

Uploading a Simple List

This process uploads a simple list of Indicators, without any contextual information attached.

  1. Click Submit in the top navigation bar.
  2. Click Submit Indicator on the dropdown menu.
  3. Click the box listing the format you will use to upload the list.
    1. Upload IOC Spreadsheet (.csv or .xls file formats)
    2. Upload file (any of these extensions: DOC, PDF, TXT, JSON, XML)
    3. Add text (freeform copy and paste)
  4. Upload the data by following the instructions on the Upload Data screen.
  5. Click Next.
  6. Select the enclaves where you want to store the Indicators. You can also add tags to the Indicators in this step.
  7. Click Submit.

Splunk Intelligence Management emails you after the list is processed and the new data is available for analysis and investigation. The email will show how many Indicators were processed during the import. You will be able to go to the Explore view and start browsing through the list and apply various Enclave and Tag filters.

Uploading a List with Context Information

If you have been collecting historical context for Indicators, such as first seen, last seen, sightings etc., you can bring that information into Splunk Intelligence Management as part of the upload.

  1. Create an XLS or CSV file with six columns with titles that exactly match the bold text in each bullet below:
    • Value: Indicator
    • Source: text indicating where this Indicator was collected from
    • Notes: text of any notes to be added to the Indicator
    • First Seen: must be a numeric value
    • Last Seen: must be a numeric value
    • Sightings: count of how many times the Indicator has been observed in a specific campaign, TTP or threat activity. Must be a numeric value.
    • Tags: text that will label the Indicator with a tag. To apply multiple tags separate them by adding additional columns (i.e Tag_1, Tag_2, etc.)

    See the example below for exact formatting requirements. ALT

    It is not necessary to provide all this information to use this feature. You must have all the columns named as shows, but any empty fields below that are ignored during the upload process.

  2. Enter your data in the rows below the title row and then save the file.
  3. Click Submit in the top navigation bar.
  4. Click Submit Indicator on the dropdown menu.
  5. Select the Upload IOC Spreadsheet option.
  6. Drag and drop the file into the dialog box. If the file submission is invalid, you will be asked to correct the file. Check that the file meets these conditions:
    • Contains the Value column header.
    • Contains between 1 and 10,000 rows of data.
    • Values in the First Seen, Last Seen, and Sightings columns must be numbers.
  7. Select the enclaves you want to upload to.
  8. (Optional) Add any tags you want associated with all of the Indicators.
  9. Click Submit.

You will be sent an email notification after the entire list is processed and is available for analysis and investigation. The email will have the details of how many Indicators were processed. You can then go to the Explore view and start browsing through the Indicators and apply various Enclave and Tag filters.

Exporting indicators

You can export lists of Indicators from the IOCs Panel in the following ways:

  • From the List View, based on the current filters
  • From the Graph View, based on an indicator tag selection.
  • When viewing a report.

The export option is limited to the most recent 10,000 Indicators.

Exporting from List View

To export the currently displayed list of Indicators, click the Export button on the far right of the menu bar.

This creates and downloads a .csv file containing the following information:

  • Indicator type
  • Value
  • Enclave ID
  • First seen timestamp
  • Last seen timestamp

Exporting from Graph View

To export the data from an Indicator you are viewing as a graph, click the download button in the top menu bar.

This creates and downloads a .csv file containing the type and value for that Indicator.

Safelisting indicators

You can add an indicator to your company safelist in either of the following ways:

  • While viewing a report in Constellation view
  • While viewing the details of an Indicator in a report or as a standalone Indicator.

Safelisting applies to both the Constellation view and to correlation counts. This feature does not support the use of wildcards or CIDR blocks.

Modifications to the safelist affect ALL userse in your organization and are applied retroactively to all reports and Indicators stored in your Enclaves.

Safelisting from a Report

When viewing a report in Constellation view, the left panel shows a list of extracted Indicators. You can click on the eye icon to change the card view for each indicator, then click on the eye for each Indicator you want to safelist.

Safelisting from the Detail Panel

When viewing an Indicator in the Details panel, you can click on the three-dot menu in the upper right to display the menu and then choose Safelist on that dropdown menu.

This action is available whenever you are viewing the details of an Indicator, either from the Reports Constellation view or the IOC Constellation view.

Last modified on 13 June, 2023
View indicators to help you find harmful activity   Automatically forward emails to a specific enclave

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters