Splunk® Intelligence Management (Legacy)

User Guide

Submit intelligence reports to add data to your enclaves

You can submit intelligence reports and add data to your enclaves using any of the following methods:

  • Enclave Inbox: Forward suspicious emails to Splunk Intelligence Management to get added enrichment.
  • Google Chrome Extension: Query or submit suspicious observables to Splunk Intelligence Management.
  • Slack App: Instantly query intelligence sources and submit data to Splunk Intelligence Management.
  • Manual Ingest: Submit any file format directly in Splunk Intelligence Management Station.
  • API / Python SDK-1: Write code to extract your intel from its storage location, transform it to a Splunk Intelligence Management Report object, then load it to a Splunk Intelligence Management enclave through submit-report 1.3 API.

Some Splunk Intelligence Management Enterprise customers have access to application integrations that submit detections or investigations to enclaves as reports:

  • Splunk Intelligence Management App for Splunk Enterprise and Enterprise Security
  • Splunk Intelligence Management App for ServiceNow
  • Splunk Intelligence Management App for Demisto (XSOAR)
  • Splunk Intelligence Management App for Splunk SOAR (formerly Phantom)
  • Splunk Intelligence Management<>MISP integration

Submissions are limited to a maximum of 2,000 observables and a maximum file size of 2MB.

Email an intelligence report

You can email an Intelligence Report to one or more addresses at the time you create the Report or when you are viewing an existing Report in the Splunk Intelligence Management Web App.

Email a new report

When you are filling out the information to submit a new Report, you can share it with others by checking the Email Incident Report box on the second screen of the Report submission process.

When you click Submit, your default email client launches and emails the new Report to the specified addresses.

Email an existing report

To email a Report you are viewing, use this procedure.

  1. In the top left corner of the details panel, click the 3-dot icon to display a dropdown menu.
  2. Click Update Report. (If you don't see it, then you do not have the user permissions to email or share this report).
  3. Click Next at the bottom of the Update Report window.
  4. Check the Email Incident Report box near the top right of the edit screen.
  5. Click Submit to finish the update.
  6. In the warning box that displays, click Yes, I'm sure to continue.
  7. In your email client window, enter the email addresses you want to send this report to.

    Email addresses you enter are not saved in the Report or in Splunk Intelligence Management. If you want to send updated versions of this report later, you must repeat the above procedure.

  8. After the email is sent, you are returned to Splunk Intelligence Management and see this text box.
  9. Choose which option you want (usually No, cancel) to finish this procedure.

Manually submit a report

Perform the following steps to manually submit an intelligence report:

  1. Click Submit in the top right of the main screen, then choose Report from the drop-down.
  2. Enter text in the Report Title field. If you are going to upload a file, you can leave this field blank and the title will automatically be populated with that file name.
  3. Set the Incident Began information. If you don't know the date, click the Unknown checkbox above.
  4. Add any tags you want to include in the Tags field.
  5. Input data for the Report. Upload your data by clicking Paste Text and then copying and pasting content directly into the text field, or by dragging and dropping a file into the Upload File field. You can upload a JSON, DOC, DOCX, XML, XLS, XLSX, EML, MSG, CSV, PDF, STIX, TAXII, or TEXT file. If a file is uploaded and corrections need to be made to the data, clicking the Paste Text tab will allow you to edit the file.
  6. After you have added this data, click Next.
  7. Use the Submit to Enclave dropdown list to choose the enclave where you want to store the report.
  8. Click Email Incident Report if you want to send a copy of the report to specific addresses. See Emailing a Report for more details on this option.
  9. (Optional) Redact the information from the Report, if desired. For details on redacting information, see Redacting Data from a Report.
  10. Click Submit Report to finish your entry and submit the report to the enclave you selected.

To learn how to manually submit intelligence using the Splunk Intelligence Management web app, see the following video: Manually submit intelligence

Last modified on 27 June, 2022
View intelligence reports in Splunk Intelligence Management   Manage your intelligence reports

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters