Splunk® Intelligence Management (Legacy)

User Guide

Create and manage an indicator prioritization intelligence workflow

Use the Indicator Prioritization intelligence workflow to filter and transform indicators into a high-fidelity data set that you can then use with third-party tools or other integrations in your cybersecurity environment.

You must be a company administrator in Splunk Intelligence Management to create. edit, or delete an intelligence workflow.

View the contents of an intelligence workflow

To view the contents of an intelligence workflow, click anywhere in its box. This expands to show the details of the sources, transformations, and destinations. Clicking again collapses the information display.

To copy the enclave ID or API key/secret for the intelligence workflow, click the clipboard icons next to the item you want to copy. You may need to copy this information to set up a workflow app as a destination for the intelligence workflow.

To regenerate the API key and API secret, click Regenerate.

Create an intelligence workflow

Perform the following steps to create an intelligence workflow. You will specify the details, sources, transformations you want to occur, and the destinations where you want to store the final data set.

You can create a maximum number of five intelligence workflows in a company to ensure that you receive data in a timely manner. Additionally, you can only select a maximum of ten intelligence sources in an intelligence workflow.

  1. Click the Workflows icon in the left Navigation bar. This opens the Workflows main screen.
  2. Click Create Workflow.
  3. On the Details screen, enter the name of the workflow you want to create.

    You can't edit the intelligence workflow name after finishing the creation process.

  4. Click Select Sources to move to the next screen. The Sources screen displays the list of intelligence sources that your organization has subscribed to. If the list is long, you can use the search bar to locate a specific source you want to use.
    1. Click the checkbox next to a source name to select that source.
    2. (Optional) Change the default weight of a source, use the pull-down menu for that source in the Weight column. The scale is 1 to 5, with 5 being the highest possible weighting. Each source you select can be weighted to provide more customization in the transformation stage. For example, you may know from past experience that one source is very closely aligned to the malicious Indicators you've seen in past cybersecurity events, so you may want to give that source a higher weighting than a source you just started using.
    3. When you are finished selecting sources, click Select Transformations to move to the next screen.
  5. Choose which transformations you want to make to the data sources you selected. You can filter the data set by scores, indicator types, or safelists.
    1. To filter the data set by scores, click the checkboxes for the scores you want to use. The default is Medium + High.
    2. Deselect the indicator types you do not want to use in this Workflow. The default is to use all indicator types supported by Splunk Intelligence Management.
    3. Select the safelists you want to use with this workflow. Safelists ensure that indicators containing specific terms or phrases are removed by the workflow. Related Link: Working with Safelist Libraries.
    4. Click Select Destination to move to the next screen.
  6. Destinations is where you specify what you want to do with the data set you are creating. Your choices are to send the data to a third-party tool using a Splunk Intelligence Management workflow app or store the data set to a Splunk Intelligence Management enclave.
    1. Click the destination where you want to send the new data set created by this Intel Workflow.
      • A third-party application that you will connect to Splunk Intelligence Management using a Splunk Intelligence Management Workflow App.

        To send the data to a third-party tool, you must set up the Splunk Intelligence Management Workflow App for that tool before the tool can receive from the Intel Workflow.

      • A new enclave. You can then view the contents of the enclave to check that the results are useful. Once you have the data set of the correct content and quality, you can edit the Intel Workflow to redirect the destination to a third-party application.
  7. Click Create Workflow to save your workflow. A popup window shows you the destination, enclave ID, and API credentials for this workflow.
  8. Click Close to close the confirmation popup or click Run in Postman to see the data set created by this intel workflow. See View a data set in Postman.

Edit an intel workflow

Edit an existing intel workflow to change any of the sources, transformations, or destinations.

  1. To edit an intelligence workflow, click the more (the more icon) icon for a workflow, then select Edit. This displays the stages of the intelligence workflow. You cannot edit the name or type of an intelligence workflow.
  2. Click on a stage to edit it. To read more about each stage, see the Creating an Indicator Prioritization Intel Workflow article.
  3. When you have finished editing, click Save Workflow at the bottom of the screen to save your changes.

If you want to leave the workflow edit process without saving changes, click the X at the top-right of the current screen. This returns you to the Intel Workflows main screen.

Delete an intelligence workflow

You can delete intelligence workflows that you no longer need.

To delete an intelligence Workflow:

  1. From list of workflows, click the more (the more icon) icon for the intel workflow you want to delete.
  2. Click Delete on the popup menu.
  3. Click Delete to confirm the request.
Last modified on 19 December, 2022
Troubleshoot intelligence workflow   Review a data set in Postman

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters