View indicators to help you find harmful activity
As a security professional, you collect pieces of information, such as cases, reports, or emails that contain data about an event on a network or device. Splunk Intelligence Management extracts these observables and then enriches and scores them to provide deeper context and intelligence. These Indicators help you determine if there is harmful activity on a network, such as a security breach or other suspicious incident.
The IOCs Panel is where you work with Indicators, either as a list you can filter and sort, or by viewing the details of a specific Indicator. You access the IOCs panel by clicking the IOCs icon in the Navigation Bar.
The IOCs panel has two view, each with a separate purpose:
- List View: Displays a list of Indicators that match the current filters you have set. This is the default view. You can always return to the list by clicking on the IOC icon in the Navigation Bar.
- Graph View: Provides a detailed look at a selected Indicator. To see an Indicator in Graph view, click on its title while in List View.
Use the list view to see basic information for each indicator
The List View of the IOC Panel provides basic information for each Indicator: the Enclave where it is stored, total sightings, tags, and notes. When in List view, you can use choices in the Filter and Refine panel on the left side of the window to hone in on the items of most interest to you.
Total sightings indicate the number of times the Indicator has appeared in your Enclaves, including sources.
The menu bar in List view is located above the list of Indicators, on the far right.
The menu bar offers two options:
- Refresh: Updates the list view. This is useful if you have been working on a hot-button investigation and want to see if any additional Indicators have been added while you were working.
- Export: Downloads a .csv file with two fields, type and value.
The List view provides different ways to display the list of Indicators:
- Most Recent, Last Seen
- Least Recent, Last Seen
- Most Recent, First Seen
- Least Recent, First Seen
You can choose which way to sort the list by selecting one of the choices on the dropdown menu just below the List view Menu bar.
View indicators in graph view to drill down for more details
In the Graph view of the IOC Panel, you can deep-dive into a selected Indicators, including date range, extracted Indicators, and a link to the full report. You can click on any item in List view to display it in Graph view.
You can see two menu bars when you are in Graph view, both of them displayed above the actual graph.
The first menu bar includes:
- Data Range: You can select 1 day, 7 days, 1 month, 6 months, or maximum (entire date range for the item). The data range data is displayed as a bar graph, as shown in the image above.
- Labels (gear icon): Turns labels on or off (default) for the graph points.
- Download (down arrow icon): Exports the data from the Indicator.
The second menu bar offers these options:
- Filter by Indicator, sources (enclaves), or tags
- Next item from the List view
- Undo last action
- Redo the last action you undid
- Reset to the original view of the item
The main panel in this view shows a graph of the Indicator with links to Enclaves that contain that item, along with correlated Indicators and tags. The example below shows that the Indicator (corona-map-data.com, a URL) has been found three enclaves and associated with tags and MITRE ATT&CK tags.
- A Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. A report node is shown using the icon specific to the enclave where that report is stored. In the image above, the report is stored in the Splunk Intelligence Management Community enclave and is represented by the Splunk Intelligence Management star logo.
- A Report node contains one or more Observable nodes. When two different Report nodes contain the same Observable, they are implicitly correlated to each other and you can see that connection in the lines between the Observables and the reports that contain them.
- An Observable node represents all indicators extracted from a specific Report. Observable nodes are represented with smaller icons specific to the data source.
- A Tag node represents tags applied to a Report or Observable and is visually depicted on the graph. Reports branching off the tag share the same tag, have one or more correlating Observables, and are present in the same timeline.
You can right-click on any item to see a four-part circular menu. Depending on the item, you can choose whatever items are not grayed out.
The details panel in Graph view displays the Indicator type, when it was last seen, how many sightings (with a historical sightings graph), and what enclaves contain it. In addition, you can see the tags applied to the item, including MITRE ATT&CK tags.
The three dots in the upper right corner contain commands to:
- Search for this item.
- Safelist this item.
You can click the target icon next to Tags to view tags by Enclave. You can add tags to this item by selecting a tag from the dropdown list for an Enclave. Any tags you add will be visible to all members of the selected Enclave and any of those members can edit those tags. Tags you add are immediately added to the item in that enclave; there is no Save action required.
Click the target icon next to or MITRE ATT&CK to view those tags by enclave. After making changes, click the Save button to commit the changes to the selected enclave.
Use safelists in Splunk intelligence Management to remove IOCs that you do not want to display in the Enclaves.
Manage your intelligence reports
Tag, bulk upload, export, and safelist indicators
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current