Search intelligence reports and indicators in Splunk Intelligence Management

Extract indicators in intelligence reports and enrich them with information from internal and external intelligence sources using Splunk intelligence Management. Use the Search bar on the Splunk Intelligence Management home page to find intelligence reports and indicators that might include a malware, IP address, email, and so on. You can also use a filter to apply enclaves, dates, tags, and indicators when searching.

Run a basic search

Running a basic search returns results that are a complete match to the specified term. The count of results returned appears directly under the Search bar.

• Click the IOC count to display the Indicators of Compromise (IOC) that contain the search term.
• Click the Reports count to display the intelligence reports that contain the search term.

The default time frame for searches is the last 30 days. Expand the Date Last Seen filter to view all the results available.

Search using wildcard characters

You can use the asterisk (*) wildcard character at the start or end of the search term to find partial matches. For example, if you want to search for all variants on a domain name, you can add a * after the main part of the domain. For example, you can use the term acme.* to find all occurrences of Acme URLs, regardless of whether they end in .com or .biz or another domain.

You can search on only two wildcard characters (*). For faster results, use only one wildcard character for each search. Using two wildcards might cause a delay in returning results.

Use long search terms

When searching reports, Splunk intelligence management considers search terms that contain more than 20 characters as a wildcard search or a long search term.

For example, if you use the search term abcdefg.hijklmnop.qrstuvwxyz.us when searching for reports, Splunk Intelligence Management returns results that matches the entire term. In this example, the more efficient search term might be qrstuvwxyz.us.

If the search term is less than 20 characters, Splunk intelligence Management performs a partial search and returns matches for any reports that contain the smaller term.

As a best practice while searching reports, keep searches under 20 characters or use a combination of characters and wildcards that are less than 20 characters in total.

The indexing of a term helps to determine how the syntax of the term appears in the body of the report. Therefore, when brackets such as <longsearchterm> wrap observables, a wildcard search such as longsearchterm*do not produce desired results. Alternatively, searching with the correct syntax such as <longsearchterm* produces the expected search results for the report.

Indicator searches always conduct partial searches, regardless of the length of the search term.

Run an advanced search

You can use operators like AND, OR, NOT and precedence as part of the match criteria. To use operators and precedence, you must type /tsquery before the search query.

Enter /tsquery followed by the search string that you want to use. Press the Enter key to start the search.

The following table lists the supported operators:

Splunk Intelligence Management uses the Elasticsearch Search Query String format. See Query String Query in Elasticsearch documentation

For information on accessing the various features of the Splunk Intelligence Management app, see Overview of the Splunk Intelligence Management web app.