Splunk® Intelligence Management (Legacy)

User Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Malware intelligence sources

Splunk Intelligence Management supports the following malware sandboxes as intelligence sources:

  • Cisco AMP Threat Grid Analysis
  • Joe Sandbox

Cisco AMP Threat Grid Analysis

Cisco Threat Grid Analysis combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5
  • REGISTRY_KEY

Requirements

  • A license for Cisco Threat Grid.
  • Access to the Threat Grid portal to generate an API key.
  • Splunk Intelligence Management Admin rights are required to activate this premium intelligence source.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Choose Premium Intel.
  4. Click Subscribe on the Cisco Threat Grid Indicator Query box.
  5. Enter your Cisco API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

Joe Sandbox

Joe Sandbox executes files and URLs fully automated in a controlled environment and monitors the behavior of applications and the operating system for suspicious activities and compiles it in an extensive analysis report.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

  • All Observables supported by Splunk Intelligence Management

Requirements

  • Registered customer of Joe Security
  • Joe Sandbox Cloud API key
  • Splunk Intelligence Management Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side navigation bar.
  3. Choose Premium Intel.
  4. Click Subscribe in the Joe Sandbox icon.
  5. Enter your Joe Sandbox API key, then click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

Last modified on 21 April, 2022
PREVIOUS
Other intelligence sources 		  NEXT
Configure the indicator prioritization intelligence workflow

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters