Splunk® Intelligence Management (Legacy)

User Guide

Digital risk and ATO intelligence sources

Splunk Intelligence Management supports the following digital risk and authority to operate (ATO) intelligence sources:

  • Cyjax
  • Digital Shadows
  • RiskIQ Blacklist
  • RiskIQ PassiveTotal
  • Shape Blackfish
  • SpyCloud

Cyjax

Cyjax specializes in threat intelligence, focusing on the cyber, physical and political areas.

  • Time to install: 10 minutes
  • Source Type: Premium Intelligence
  • Update Type: Query-based

Observables supported

  • Domain
  • URL
  • CVE
  • Emails
  • IPv4
  • IPv6
  • FileHash-MD5
  • FileHash-SHA1
  • FileHash-SHA256

Requirements

  • A paid subscription to CYJAX
  • Cyjax API Key
  • TruSTAR Admin rights are required to activate this premium intelligence source.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel to view the sources available.
  4. Click Subscribe on the Cyjax box. This opens a dialog box.
  5. Enter your Cyjax API key, then click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

Digital Shadows

This document explains how to set up the Digital Shadows premium intelligence source in the TruSTAR platform. This integration also provides a direct link back to Digital Shadows to take advantage of other services they provide.

Digital Shadows monitors and manages an organization's digital risk across the widest range of data sources within the visible, deep, and dark webs to protect an organization's business, brand, and reputation.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

  • IP
  • URL
  • MD5
  • SHA1

Requirements

  • A license for Digital Shadows.
  • Access to your Digital Shadows API key.
  • TruSTAR Admin rights are required to activate this premium intelligence source.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Choose Premium Intel.
  4. Click Subscribe on the Digital Shadows box.
  5. Enter your Recorded Future API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

The TruSTAR integration pulls reports from Digital Shadows that have cyber observables. These include:

  • Intelligence reports
  • Intelligence - Incident reports
  • Intelligence - Threat reports

Contact TruSTAR to discuss additional reports that can be pulled from Digital Shadows.

This document explains how to set up the RiskIQ Blacklist premium intelligence source in the TruSTAR platform.

RiskIQ Blacklist

RiskIQ's Blacklist delivers curated lists of known bad URLs, Domains, and IP addresses associated with malware, phishing, and scam events.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

  • IP
  • URL
  • Domain (Extracted from URL by TruSTAR)

Requirements

  • Licensed user of RiskIQ
  • API key for RiskIQ Blacklist lookup
  • TruSTAR Admin rights are required to activate this Premium Intelligence source.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Click Premium Intel.
  4. Click Subscribe on the RiskIQ Blacklist box.
  5. Enter your RiskIQ API key and click Save Credentials & Request Subscription. Go to the Manage API Key page in the RiskIQ documentation to find your RiskIQ API keys.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

RiskIQ PassiveTotal

This document explains how to set up the RiskIQ PassiveTotal premium intelligence source in the TruSTAR platform.

RiskIQ PassiveTotal® expedites investigations by connecting internal activity, event, and incident indicator of compromise (IOC) artifacts to what is happening outside the firewall—external threats, attackers, and their related infrastructure.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to Install: 10 minutes
  • Observables Supported
  • IP
  • Domain (extracted from URL)
  • Email address

Requirements

  • A subscription to RiskIQ PassiveTotal
  • RiskIQ PassiveTotal API key
  • TruSTAR Admin rights are required to activate this Premium Intelligence source.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Click Premium Intel.
  4. Click Subscribe on the RiskIQ Passive Total box.
  5. Enter your RiskIQ PassiveTotal API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

After the integration has been enabled, you need to submit reports to your private enclave to see intelligence enrichment from Passive Total.

Shape Blackfish

This document explains how to set up the Shape Blackfish premium intelligence source in the TruSTAR platform.

Shape Blackfish is an enterprise credential security solution that helps organizations protect their websites and mobile applications from criminals who use stolen credentials to take over customer accounts. Shape sees over 30M credential stuffing attacks per day and protects over 100M real human logins per day. In other words, Blackfish knows which credentials have been stolen even before criminals begin trading them on the dark web.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to Install: 10 minutes
  • Observables Supported
  • Email Address

Requirements

  • A subscription to Shape Blackfish
  • Shape Blackfish API Key
  • Shape Blackfish API Secret
  • TruSTAR Admin rights are required to activate this premium intelligence source.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Choose Premium Intel.
  4. Click Subscribe on the Shape Blackfish box.
  5. Enter your Shape Blackfish API Key and API Secret and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

SpyCloud

This document explains how to set up the SpyCloud premium intelligence source in the TruSTAR platform.

SpyCloud helps businesses of all sizes prevent data breaches and account takeover attacks by alerting when employee or company assets have been compromised. SpyCloud's early-warning breach detection service is powered by a world-class team of intelligence analysts.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to Install: 10 minutes
  • Observables Supported
  • IP
  • URL
  • Domain
  • Email Address

Requirements

  • A subscription to SpyCloud
  • SpyCloud API Key
  • TruSTAR Admin rights are required to activate this premium intelligence source.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Choose Premium intel.
  4. Click Subscribe on the SpyCloud box.
  5. Enter your SpyCloud credentials, then click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

Last modified on 21 April, 2022
Intelligence sources in Splunk Intelligence Management   Endpoint intelligence sources

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters