Splunk® Intelligence Management (Legacy)

User Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Threat intelligence sources

Splunk Intelligence Management supports the following sources for threat intelligence:

All the listed intelligence sources are compatible with intelligence workflows.

AbuseIPDB

Set up the AbuseIPDB premium intelligence source in Splunk Intelligence Management.

AbuseIPDB is a project that helps combat the spread of hackers, spammers, and abusive activity on the internet by providing a central blacklist for IP addresses that have been associated with malicious activity online.

The integration with Splunk Intelligence Management enables you to to view AbuseIPDB IP addresses as Splunk Intelligence Management reports.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to install: 10 minutes

Supported observables

  • IP addresses

Requirements

  • A freemium or paid subscription to AbuseIPDB
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side Navigation Bar.
  3. Select Premium Intel to view the available feeds.
  4. Click Subscribe on the Abuse IPDB box.
  5. Enter your Abuse IPDB API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Alienvault OTX

Set up the Alienware OTX premium intelligence source in Splunk Intelligence Management.

Alien Labs® Open Threat Exchange® (OTX™) is the world's first and largest truly open threat intelligence community of more than 100,000 threat researchers and security professionals in 140 countries. The OTX delivers more than 19 million threat indicators daily.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Parser: Yes
  • Time to Install: 10 minutes

Supported observables

  • IP
  • CVE
  • MD5
  • SHA1
  • SHA256
  • URL

Requirements

  • A subscription to Alienware OTX
  • Alienware OTX API Key
  • Splunk Intelligence Management administrator rights are required to activate this closed source feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel to view the available feeds.
  4. Click Subscribe on the Alienware OTX box.
  5. Enter your Alienvault API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Alienvault OTX Pulse

Set up Alienware OTX Pulse premium intelligence source in Splunk Intelligence Management.

Alien Labs® Open Threat Exchange® (OTX™) is the world's first and largest truly open threat intelligence community of more than 100,000 threat researchers and security professionals in 140 countries. The OTX delivers more than 19 million threat indicators daily.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Supported observables

  • All observables supported by Splunk Intelligence Management

Requirements

  • A subscription to Alienware OTX
  • Alienware OTX API Key
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side navigation bar.
  3. Select Premium Intel to view the feeds available.
  4. Click Subscribe on the Alienware OTX Pulse box.
  5. Enter your Alienvault API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Bambenek C2 Domain Feed

Set up the Bambenek C2 Domain Feed premium intelligence source in Splunk Intelligence Management.

This self-curating feed monitors malicious networks to observe current criminal activity and collect relevant Domain information, producing high-confidence data with very low false positives.

  • Source Type: Premium Intelligence
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to install: 10 minutes

Supported observables

  • Domain
  • Requirements
  • A subscription to the Bambenek C2 Domain Feed.
  • Your Bambenek Domain IP Feed API Key and API Secret
  • Splunk Intelligence Management administrator rights are required to activate this intelligence source.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel to view the feeds available.
  4. Click Subscribe on the Bambenek C2 Domain Feed box.
  5. Enter your Bambenek C2 Domain Feed API key and API secret, then click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Bambenek C2 IP Feed

Set up the Bambenek C2 IP Feed premium intelligence source in Splunk Intelligence Management.

This self-curating feed monitors malicious networks to observe current criminal activity and collect relevant IP information, producing high-confidence data with very low false positives.

  • Source Type: Premium Intelligence
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to install: 10 minutes

Supported observables

  • IP

Requirements

  • A subscription to the Bambenek C2 IP Feed.
  • Your Bambenek C2 IP Feed API Key and API Secret
  • Splunk Intelligence Management administrator rights are required to activate this intelligence source.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel to view the feeds available.
  4. Click Subscribe on the Bambenek C2 IP Feed box.
  5. Enter your Bambenek C2 IP Feed API key and API secret, then click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Bambenek DGA Feed

Set up the Bambenek DGA Feed premium intelligence source in Splunk Intelligence Management.

This self-curating feed monitors malicious networks to observe current criminal activity and collect relevant domain information, producing high-confidence data with very low false positives.

  • Time to install: 10 minutes
  • Source Type: Premium Intelligence
  • Update Type: Feed-based

Supported observables

  • Domain
  • Requirements
  • A paid subscription to the Bambenek DGA Feed.
  • Your Bambenek DGA Feed API key.
  • Splunk Intelligence Management administrator rights are required to activate this premium intelligence source.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel to view the sources available.
  4. Click Subscribe on the Bambenek DGA Feed box. This displays a dialog box.
  5. Enter your Bambeneck API key and API Secret, then click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Cofense Intelligence

Set up and use Cofense Intelligence with Splunk Intelligence Management.

Cofense's malware intelligence service provides accurate alerts about cryptojacking malware and other possible attacks circulating in phishing emails.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Time to Install: 10 minutes

Data Types

The integration pulls the following information from Cofense:

  • Email addresses
  • Hashes
  • IPs
  • URLs
  • Softwares

Requirements

  • A subscription to Cofense Intelligence
  • Cofense API Key
  • Cofense API Secret
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intel feed.

Getting started

  1. Log into Splunk Intelligence Management.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Select Premium Intel.
  4. Click Subscribe on the Cofense Intelligence box.
  5. Enter your Cofense Intelligence credentials and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Crowdstrike Falcon Intelligence

Set up and use Crowdstrike Falcon Intelligence with Splunk Intelligence Management.

Crowdstrike Falcon Intelligence prevents damage from advanced malware and targeted attacks and also provides security teams with complete analysis and insights into the TTPs of adversary groups, allowing security professionals to diagnose and respond to current incidents and still plan for events in the future..

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Time to Install: 10 minutes

Supported observables

  • All observables supported by Splunk Intelligence Management

Requirements

  • Crowdstrike license
  • Access to Crowdstrike Falcon Intelligence
  • API ID and API key for the reports API
  • Client custom region assigned to your license by Crowdstrike

Getting started

  1. Login into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Select Premium Intel.
  4. Click Subscribe to Crowdstrike Falcon Intelligence.
  5. Enter your Crowdstrike API ID and API key and then click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Dragos WorldView

Set up the Dragos WorldView premium intelligence source in Splunk Intelligence Management.

Dragos WorldView provides actionable insights, analyses, alerts, and reports illuminating malicious activity and relevant recommendations.

  • Source Type: Premium Intelligence
  • Update Type: Feed-based
  • Update Frequency: 6 Hours
  • Time to install: 10 minutes

Supported observables

  • IP Address
  • MD5
  • SHA1
  • SHA256
  • Software
  • URL

Requirements

  • A subscription to Dragos WorldView
  • Dragos WorldView API Key and API Secret
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Login into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Select Premium Intel.
  4. Click Subscribe to Dragos.
  5. Enter your Dragos API Key and API Secret and then click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Facebook Threat Exchange

Set up the Facebook Threat Exchange premium intelligence source in Splunk Intelligence Management.

ThreatExchange is an API platform for security professionals to share threat intelligence more easily, learn from each other's discoveries, and make their own systems safer. ThreatExchange provides a set of APIs for pulling data into your existing clients and workflows. The platform supports easy-to-use privacy controls so you can specify who sees the information you publish and how it can be used.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

  • Email Address
  • IP
  • MD5
  • SHA1
  • SHA256
  • URL

Requirements

  • A subscription to Facebook Threat Exchange
  • Facebook Threat Exchange API ID
  • Facebook Threat Exchange API Secret
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side navigation bar.
  3. Select Premium intel.
  4. Click Subscribe on the Facebook Threat Exchange box.
  5. Enter your Facebook Threat Exchange information and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Farsight Security

Set up the Farsight Security premium intelligence source in the Splunk Intelligence Management platform.

Farsight Security's DNSDB™ is a Passive DNS historical database that provides a unique, fact-based, multi-faceted view of the configuration of the global Internet infrastructure. DNSDB leverages the richness of Farsight's Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to Install: 10 minutes

Observables supported

  • IP (both IPv4 and IPv6)
  • URL
  • Domain (extracted from the URL)

Requirements

  • A subscription to Farsight Security DNSDB.
  • A Farsight Security DNSDB API key.
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side navigation bar.
  3. Select Premium Intel to view the feeds available.
  4. Click Subscribe on the Farsight Security box.
  5. Enter your Farsight Security API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Flashpoint

Set up the Flashpoint premium intelligence source in Splunk Intelligence Management.

Flashpoint provides rapid, safe, extensive access to illicit communities including closed, invite-only, and password-protected sources, as well as paste sites, technical data, stolen credentials, and social media sites exploited by threat actors.

  • Source Type: Premium Intelligence
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Supported observables

  • All observables supported by Splunk Intelligence Management.

Requirements

  • A subscription to Flashpoint
  • Flashpoint API Key
  • Splunk Intelligence Management administrator rights are required to activate this intelligence source

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Closed Sources.
  4. Click Subscribe on the Flashpoint box.
  5. Enter your Flashpoint API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Hybrid analysis

Set up the Hybrid Analysis premium intelligence source in Splunk Intelligence Management.

Hybrid Analysis is an innovative technology integrated into the flagship product VxStream Sandbox. Hybrid Analysis is a unique technology that saves fine-grained memory dump snapshots of the monitored runtime processes as well as symbol information to perform a deep static analysis at the report generator stage.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Parser: Yes
  • Time to Install: 10 minutes

Supported observables

  • Malware
  • MD5
  • SHA1
  • SHA256
  • URL

Requirements

  • A subscription to Hybrid Analysis
  • Hybrid Analysis API Key
  • Hybrid Analysis API Secret
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium intel.
  4. Click Subscribe on the Hybrid Analysis box.
  5. Enter your Hybrid Analysis information and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

IBM X-Force

Set up the IBM X-Force premium intelligence source in Splunk Intelligence Management.

IBM X-Force Exchange is a cloud-based threat intelligence sharing platform enabling users to rapidly research the latest security threats, aggregate actionable intelligence and collaborate with peers. Supported by human- and machine-generated intelligence, the Exchange leverages the scale of IBM X-Force to help users stay ahead of emerging threats

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Parser: Yes
  • Time to install: 10 minutes

Supported observables

  • IP
  • MD5
  • SHA1
  • SHA256
  • URL

Requirements

  • A subscription to IBM X-Force
  • IBM X-Force API Key
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Choose Premium Intel.
  4. Click Subscribe on the IBM X-Force box.
  5. Enter your IBM X-Force API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Source scoring

Source scoring for this intelligence source uses two different methods:

  • A continuous score is provided for URLs and IP addresses.
  • A categorical risk score (Low, Medium, High) is provided for SHA1, SHA256, and MD5.

IBM X-Force Threat Intelligence

Set up the IBM X-Force® Threat Intelligence premium intelligence source in Splunk Intelligence Management.

This feed provides organizations with high quality, prioritized, actionable threat intelligence extracted from real-time IBM security operations, investigations and research.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to Install: 10 minutes

Supported observables

  • IP
  • MD5
  • SHA1
  • SHA256
  • URL

Requirements

  • A subscription to IBM X-Force IRIS
  • IBM X-Force IRIS API Key
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel.
  4. Click Subscribe on the IBM X-Force IRIS box.
  5. Enter your IBM X-Force IRIS API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Intel 471 Adversary Intelligence

Set up the Intel 471 Adversary Intelligence premium intelligence source in Splunk Intelligence Management.

Adversary Intelligence provides proactive and groundbreaking insights into the methodology of top-tier cybercriminals: target selection, assets and tools used, associates and other enablers that support them. Intel 471's field-driven collection and headquarters-based analysis is able to directly support the intelligence needs across an organization spanning security, executive, vulnerability, risk, investigation and fraud teams.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Supported observables

  • All observables supported by Splunk Intelligence Management.

Requirements

  • A subscription to Intel 471 Adversary Intelligence
  • Intel 471 Adversary Intelligence API ID (Intel 471 portal login email)
  • Intel 471 Adversary Intelligence API Key
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel.
  4. Click Subscribe on the Intel 471 Adversary Intelligence box.
  5. Enter the information requested and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Intel 471 Alerts

Set up the Intel 471 Alerts Watchlist premium intelligence source in Splunk Intelligence Management.

Intel 471's Alert Watchlist leverages adversary intelligence and underground capabilities to provide timely data and context on malware and adversary infrastructure. Intel 471 is focused on infiltrating and maintaining access to premium intelligence where threat actors collaborate, communicate and plan cyber attacks.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Supported observables

  • All observables supported by Splunk Intelligence Management.

Requirements

  • A subscription to Intel 471 Alerts
  • Alerts API ID (Intel 471 portal login email)
  • Alerts API Key
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium intel.
  4. Click Subscribe on the Intel 471 Alerts box.
  5. Enter the information requested and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Intel 471 Malware Intelligence

Set up the Intel 471 Malware Intelligence premium intelligence source in the Splunk Intelligence Management platform.

This source leverages Intel 471's industry-leading access within the cybercriminal underground to obtain early access to malware including Trojans, RATs and Stealers, which is then analyzed and reverse-engineered malware to create actionable signatures and malware reports. Malware Intelligence was developed for seamless and automated ingestion into security tools and infrastructure.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to Install: 10 minutes

Supported observables

  • All observables supported by Splunk Intelligence Management.

Requirements

  • A subscription to Intel 471 Malware Intelligence
  • Malware Intelligence API ID (Intel 471 portal login email)
  • Malware Intelligence API Key
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel.
  4. Click Subscribe on the Intel 471 Malware Intelligence box.
  5. Enter the information requested and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Mandiant Threat Intelligence

Set up and use the Mandiant premium intelligence source in Splunk Intelligence Management.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to Install: 10 minutes

About Mandiant

Since 2004, Mandiant® has been a trusted partner to security-conscious organizations. Effective security is based on the right combination of expertise, intelligence, and adaptive technology, and the Mandiant Advantage SaaS platform scales decades of frontline experience and industry-leading threat intelligence to deliver a range of dynamic cyber defense solutions. Mandiant's approach helps organizations develop more effective and efficient cyber security programs and instills confidence in their readiness to defend against and respond to cyber threats.

About Mandiant Threat Intelligence

Mandiant Threat Intelligence gives security practitioners unparalleled visibility and expertise into threats that matter to their business right now. Our threat intelligence is compiled by over 300 security and intelligence individuals across 22 countries, researching actors via undercover adversarial pursuits, incident forensics, malicious infrastructure reconstructions and actor identification processes that comprise the deep knowledge embedded in the Mandiant Intel Grid. Threat Intelligence can be delivered as a technology, operated side-by-side with your team, or fully managed by Mandiant experts.

Observables Supported

  • All observables supported by Splunk Intelligence Management.

Requirements

  • A subscription to iSight intelligence.
  • iSight public key (API ID)
  • iSight private key (API Secret)
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intel feed.

Getting Started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Select Premium Intel.
  4. Click Subscribe on the iSight Partners box.
  5. Enter your API key and API Secret key, then click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

NetLab 360 DGA Feeds

Set up the NetLab 360 DGA Feeds open source intelligence in Splunk Intelligence Management.

This self-curating feed monitors malicious networks to observe current criminal activity and collect relevant Domain information, producing high-confidence data with very low false positives.

  • Source Type: Open Source
  • Update Type: Feed-based
  • Update Frequency: 10 minutes
  • Time to install: 10 minutes

Supported observables

  • Domain

Requirements

  • Splunk Intelligence Management administrator rights are required to activate this intelligence source.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Open Source to view the feeds available.
  4. Click Subscribe on the NetLab 360 DGA Feeds box.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Recorded Future Hash Intelligence

Set up the Recorded Future Hash Intelligence Source premium intelligence source in Splunk Intelligence Management.

With billions of indexed facts, and more added every day, Recorded Future's Threat Intelligence Machine makes use of machine learning and natural language processing (NLP), to continuously analyze threat data from a massive range of sources. Recorded Future Hash Intelligence contains hash data scored at 90 and above (on a scale of 0-100) by Recorded Future's internal team.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 4 hours
  • Parser: Yes
  • Time to Install: 10 minutes

Supported observables

  • MD5
  • SHA1
  • SHA256

Requirements

  • A subscription to Recorded Future Premium
  • Recorded Future API Key
  • A daily quota of 60 Recorded Future credits. Each list update requires 5 credits, for a total of 60 credits per day (12 list updates per day).
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel.
  4. Click Subscribe on the Recorded Future Hash Intelligence box.
  5. Enter your Recorded Future API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Related resources

Recorded Future IP Intelligence

Set up the Recorded Future IP Intelligence premium intelligence source in Splunk Intelligence Management.

With billions of indexed facts, and more added every day, Recorded Future's Threat Intelligence Machine makes use of machine learning and natural language processing (NLP), to continuously analyze threat data from a massive range of sources. Recorded Future IP Intelligence contains IP addresses scored at 90 and above (on a scale of 0-100) by Recorded Future's internal team.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 2 hours
  • Parser: Yes
  • Time to Install: 10 minutes

Supported observables

  • All observables supported by Splunk Intelligence Management.

Requirements

  • A subscription to Recorded Future Premium
  • Recorded Future API Key
  • A daily quota of 60 Recorded Future credits. Each list update requires 5 credits, for a total of 60 credits per day (12 list updates per day).
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel.
  4. Click Subscribe on the Recorded Future IP Intelligence box.
  5. Enter your Recorded Future API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Related resources

Recorded Future URL Intelligence

Set up the Recorded Future URL Intelligence premium intelligence source in the Splunk Intelligence Management platform.

With billions of indexed facts, and more added every day, Recorded Future's Threat Intelligence Machine makes use of machine learning and natural language processing (NLP), to continuously analyze threat data from a massive range of sources.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: Every 24 hours at 2PM UTC
  • Parser: Yes
  • Time to Install: 10 minutes

Supported observables

  • URL
  • Domains (extracted from URL)

Requirements

  • A subscription to Recorded Future Premium
  • Recorded Future API Key
  • A daily quota of 60 Recorded Future credits. Each list update requires 5 credits, for a total of 60 credits per day (12 list updates per day).
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel.
  4. Click Subscribe on the Recorded Future URL Intelligence box.
  5. Enter your Recorded Future API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Related resources

Recorded Future Vulnerability Intelligence

Set up the Recorded Future Vulnerability Intelligence premium intelligence source in the Splunk Intelligence Management platform.

With billions of indexed facts, and more added every day, Recorded Future's Threat Intelligence Machine makes use of machine learning and natural language processing (NLP), to continuously analyze threat data from a massive range of sources. Recorded Future Vulnerability Intelligence contains information about vulnerabilities discovered and rated at 90 and above (on a scale of 0-100) by Recorded Future's internal team.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: Every 24 hours at 2PM UTC
  • Parser: Yes
  • Time to Install: 10 minutes

Supported observables

  • CVE

Requirements

  • A subscription to Recorded Future Premium
  • Recorded Future API Key
  • A daily quota of 60 Recorded Future credits. Each list update requires 5 credits, for a total of 60 credits per day (12 list updates per day).
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel.
  4. Click Subscribe on the Recorded Future Vulnerability Intelligence box.
  5. Enter your Recorded Future API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Related resources

Shodan

Set up the Shodan premium intelligence source in Splunk Intelligence Management.

Shodan is a "freemium" search engine that helps you find specific types of computers connected to the internet. Splunk Intelligence Management's integration with Shodan queries for IP addresses and URLs found in the submission enclave and reports findings to the Shodan enclave.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to install: 10 minutes

Supported observables

  • IP Address
  • URL (via DNS lookup)

Requirements

  • A Freemium or paid subscription to Shodan
  • Shodan API Key
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Login into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Select Premium Intel.
  4. Click Subscribe to Shodan
  5. In the Source Subscription dialog box, enter your Shodan API Key and the Splunk Intelligence Management Enclave ID (not the Enclave Name) where you will submit Reports or Indicators.

Example of Enclave ID: 0092174d-25c0-4d9e-ae7e-7d5031643df0

  1. Click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Known issues

The Shodan Source can only provide data for IP addresses and URLs found by its search engine. There are no corresponding reports when Shodan does not have any information on the observables that were searched.

Symantec Threat Intelligence

Configure the Symantec Threat Intelligence premium intelligence source in Splunk Intelligence Management.

Symantec Threat Intelligence provides real-time information on any file hash, domain, or IP address. Information includes reputation, threat name, prevalence, age, industry, geography, and related indicators.

  • Source Type: Premium Intelligence
  • Update Type: Query-based
  • Update Frequency: 15 mins
  • Parser: no.
  • Time to install: 45 minutes

Requirements

  • A subscription to Symantec Threat Intelligence
  • Symantec Threat Intel API Key
  • A Station user account with a Company Administrator role.

Getting started

  1. Contact Splunk Intelligence Management Support to create a private enclave named <yourcompany> Symantec Threat Intel.
  2. Create a Service User Account in your Station Company Account with these permissions:
    1. View access for Enclaves that store indicators you intend to enrich with the Symantec intelligence source. (usually your private enclaves - ex: phishing, Splunk Threat Activity, Servicenow, Resilient enclaves)
    2. Full access to the <yourcompany> Symantec Threat Intel enclave created in step 1.
  3. Securely transfer the following information to your Symantec TI account manager:
    • API Key & Secret for the service user account created in Step 2.
    • Enclave IDs to be enriched. (step 2.a.)
    • Enclave ID for the <yourcompany> Symantec Threat Intel enclave. (step 2.b.)
    • Credentials for a Symantec TI service user account

Your Symantec TI account manager will notify you by email when integration is activated.

Updating configurations

Work with your Symantec TI account manager: threatintelsupport@broadcom.com

VirusTotal

Set up the VirusTotal premium intelligence source in Splunk Intelligence Management.

VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract observables from those items.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Parser: Yes
  • Time to Install: 10 minutes

Supported observables

  • IP
  • IP4
  • URL

Requirements

  • Membership in the VirusTotal community
  • VirusTotal API Key
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Log into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the left side icon list.
  3. Select Premium Intel.
  4. Click Subscribe on the VirusTotal box.
  5. Enter your VirusTotal API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

urlscan

Set up the urlscan premium intelligence source in Splunk Intelligence Management.

The urlscan is a free-mium service which virtually allows anyone to analyze unknown or potentially malicious domains and IP addresses. Splunk Intelligence Management's integration to the urlscan intelligence source will query for IP's and Domain's found in the submission enclave and report known findings in the urlscan enclave

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Update Frequency: 15 minutes
  • Time to install: 10 minutes

Supported observables

  • IP Address
  • URL
  • When submitting URLs to query urlscan, you must include the protocol (i.e http, https, etc.)

Requirements

  • A Free-mium or paid subscription to urlscan
  • urlscan API Key
  • Splunk Intelligence Management administrator rights are required to activate this Premium Intelligence feed.

Getting started

  1. Login into the Splunk Intelligence Management web app.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Select Premium Intel.
  4. Click Subscribe to urlscan.
  5. Enter your urlscan API Key and then enter the Pull Enclave ID where you will submit Indicators to and then click Save Credentials & Request Subscription. Example Enclave ID: 71f337a0-XXXX-XXXX-XXXX-5679271656a0

Splunk Intelligence Management validates the integration within 48 hours and sends an email when the integration is enabled.

Last modified on 15 August, 2023
PREVIOUS
Endpoint intelligence sources
  NEXT
Trusted community intelligence sources

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters