Splunk® Intelligence Management (Legacy)

User Guide

Trusted community intelligence sources

Splunk Intelligence Management supports the following trusted community intelligence sources:

  • A-ISAC
  • COVID-19 OSINT Community Enclave
  • F-ISAC
  • FS-ISAC
  • NCFTA CyFin
  • NCFTA TNT

A-ISAC

This document explains how to set up the A-ISAC premium intelligence source in the Splunk Intelligence Management platform.

A-ISAC facilitates the sharing of timely, actionable information related to threats, vulnerabilities, incidents, potential protective measures and best practices.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Observables Supported

  • All Observables supported by Splunk Intelligence Management.

Requirements

  • Subscription to A-ISAC
  • A-ISAC Username
  • A-ISAC Password
  • Splunk Intelligence Management Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel.
  4. Click Subscribe on the A-ISAC List box.
  5. Enter your A-ISAC Username and Password and click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

COVID-19 OSINT Community Enclave

To help security teams Defend Better Together, Splunk Intelligence Management along with our partners at IBM have created an open source Community Enclave to share and track observables related to COVID-19 exploits.

  • Source Type: Open Source Intelligence
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to install: 5 minutes

Supported Observables

  • IP
  • DOMAIN
  • EMAIL ADDRESS
  • MD5
  • SHA1
  • SHA356
  • URL

Contributing to the Enclave

You can find the COVID-19 OSINT Enclave on the "Open Sources" section of the Navigation Panel.

The IBM X-Force IRIS team is leading the effort of curating an initial corpus of relevant observables related to COVID-19 and are publishing them to the COVID-19 Open Source Enclave. Reports will be added every 24 hours.

Splunk Intelligence Management and IBM Liaison Community intel architects have edit access to reports. To request edits or report an inaccuracy, or if you want to contribute to the reports, contact covid-19@trustar.co. Reports tagged with #covid-19 will NOT be automatically added to the COVID-19 OSINT Enclave. All reports tagged with #covid-19 can be found using Search and Wildcard features.

Tags are only visible to members from the Enclave you submitted to. You can only tag reports with #covid-19.

We encourage you to use this intelligence source via the following tools:

  • Community & Community Plus Users
    • Search
    • Google Chrome Extension
    • Slack App
    • Splunk Intelligence Management REST API
  • All Foundation, Enterprise, and Enterprise Intelligence Management Users
    • Configure your Application integrations with your detection, incident response and orchestration tools to include this data source for enrichment.

F-ISAC

This document explains how to set up the F-ISAC premium intelligence source in the Splunk Intelligence Management platform.

Financials Information Sharing and Analysis Center Japan (F-ISAC Japan) was established so that Japan's financial institutions could share and analyze cyber security information and conduct cooperative activities to improve their safety and security.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Observables Supported

  • IP
  • Domain
  • URL
  • MD5
  • SHA1 /SHA256

Requirements

  • Membership in F-ISAC
  • F-ISAC API key, email and password
  • Splunk Intelligence Management Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium intel.
  4. Click Subscribe on the F-ISAC box.
  5. Click on F-ISAC logo and fill in your API key, email and password, then click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

FS-ISAC

This document explains how to set up the FS-ISAC premium intelligence source in the Splunk Intelligence Management platform.

FS-ISAC, or the Financial Services Information Sharing and Analysis Center, is the global financial industry's resource for cyber and physical threat intelligence analysis and sharing. FS-ISAC is unique in that it was created by and for members and operates as a member-owned non-profit entity.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 2 hours
  • Time to Install: 10 minutes

Observables Supported

  • IP
  • CIDR BLOCK
  • URL (including DOMAIN)
  • MD5
  • SHA1 and SHA256
  • CVE
  • BITCOIN ADDRESSES
  • SOFTWARE
  • EMAIL ADDRESS
  • REGISTRY KEY
  • MALWARE

Requirements

  • Membership in FS-ISAC
  • FS-ISAC API Username and API Password
  • Splunk Intelligence Management Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel.
  4. Click Subscribe on the FS-ISAC box.
  5. Click on FS-ISAC logo and fill in your API Username and API Password, then click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

NCFTA CyFin

This document explains how to set up the NCFTA CyFin premium intelligence source in the Splunk Intelligence Management platform.

The National Cyber-Forensics & Training Alliance (NCFTA) is a non-profit corporation focused on identifying, mitigating, and neutralizing cybercrime threats globally. Their CyFin feed focuses on cyber threats to the financial services industry, specifically spam-based money laundering and securities fraud

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Observables Supported

  • All Observables supported by Splunk Intelligence Management

Requirements

  • A subscription to NCFTA
  • NCFTA API Key
  • Splunk Intelligence Management Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel.
  4. Click Subscribe on the NCFTA CyFin List box.
  5. Enter your NCFTA API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

NCFTA TNT

This document explains how to set up the NCFTA TNT premium intelligence source in the Splunk Intelligence Management platform.

The National Cyber-Forensics & Training Alliance (NCFTA) is a non-profit corporation focused on identifying, mitigating, and neutralizing cybercrime threats globally. It operates by conducting real time information sharing and analysis with Subject Matter Experts (SME) in the public, private, and academic sectors.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 10 minutes
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

  • All Observables supported by Splunk Intelligence Management

Requirements

  • A subscription to NCFTA
  • NCFTA API Key
  • Splunk Intelligence Management Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel.
  4. Click Subscribe on the NCFTA TNT List box.
  5. Enter your NCFTA API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

Last modified on 21 April, 2022
Threat intelligence sources   Other intelligence sources

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters