SPLK-3001 Threat Intelligence Framework
Threat Intelligence Framework
Detailed list of SPLK-3001 knowledge points
- + ES Introduction
- + Monitoring and Investigation
- + Security Intelligence
- + Forensics, Glass Tables, and Navigation Control
- + ES Deployment
- + Installation and Configuration
- + Validating ES Data
- + Custom Add-ons
- + Tuning Correlation Searches
- + Creating Correlation Searches
- + Lookups and Identity Management
- + Threat Intelligence Framework
Threat Intelligence Framework Detailed Explanation
1. What is the Threat Intelligence Framework (TIF)?
The Threat Intelligence Framework (TIF) in Splunk ES enables you to ingest, manage, and operationalize external threat intelligence feeds. Its core function is to help you identify known threats in your environment by matching IOCs (like malicious IPs, domains, emails, or file hashes) against your incoming log data.
Think of TIF as a system that turns third-party threat data into actionable alerts.
2. Supported Threat Sources
TIF is flexible and supports a wide range of input formats and platforms. You can integrate threat intel from both structured platforms and custom lists.
a. TAXII Feeds
TAXII stands for Trusted Automated eXchange of Indicator Information.
It's a standard protocol for sharing STIX-formatted threat intelligence.
Commonly used in:
Government
Financial sectors
Community threat-sharing groups
TIF supports direct integration with TAXII servers to automatically pull IOCs.
b. Custom CSV or JSON Files
You can manually define and upload your own threat lists.
Useful for:
Internal IOCs from previous incidents
Blocklists from security vendors
Partner-supplied threat data
Format examples:
ip,threat_type,confidence
192.168.10.5,malware,high
c. Cloud Intelligence Platforms
TIF integrates with leading commercial and open-source threat intelligence platforms such as:
Anomali ThreatStream
Recorded Future
MISP (Malware Information Sharing Platform)
These platforms offer dynamic, curated threat data with real-time updates.
3. Integration with ES Detection Logic
Once threat data is ingested, TIF enables automated detection through two main mechanisms:
a. Lookups
Ingested IOCs are stored in lookup tables, such as:
threat_intel_by_ipthreat_intel_by_emailthreat_intel_by_domainthreat_intel_by_file_hash
These lookups are referenced in:
Searches
Dashboards
Correlation rules
Example SPL:
| lookup threat_intel_by_ip ip AS src OUTPUT threat_description, confidence
| search confidence="high"
This returns events where the source IP matches a high-confidence IOC.
b. Correlation Searches
TIF integrates with existing and custom correlation searches, allowing automated alerting when a match occurs.
For example:
- If a firewall log shows outbound traffic to an IP listed in
threat_intel_by_ip, a notable event is generated.
4. Framework Components
TIF includes tools to help you manage and monitor the quality and flow of threat data.
a. Threat Intelligence Manager Dashboard
A visual dashboard in Splunk ES for:
Monitoring feed status
Viewing recent ingestions
Checking IOC activity and aging
It helps ensure your threat intel feeds are running correctly and providing coverage.
b. KV Store Tables
TIF stores IOC data in KV Store collections.
These are structured and allow for fast lookups and dynamic updates.
Features of KV Store tables:
Aging: You can configure IOCs to expire after a set time (e.g., 30 days).
Tagging: Each IOC can be enriched with fields like:
sourcethreat_typeconfidencefirst_seen
This helps with investigation and reporting.
5. Key Features of TIF
a. Threat Match Search
A powerful search interface that compares live log data against all available IOCs in real time.
Supports multiple match types: IPs, domains, file hashes, and email addresses.
Example use case:
An analyst can run a threat match search to find all current users communicating with known malware domains.
b. Threat Enrichment
Matched events are enriched with threat metadata, such as:
Threat source (e.g., Recorded Future)
Threat type (e.g., ransomware)
Confidence level (low, medium, high)
This enriched data appears in:
Notable event details
Dashboards
Risk scoring calculations
It gives analysts context to make faster, more informed decisions.
6. Summary of Threat Intelligence Framework (TIF)
| Component | Description |
|---|---|
| Supported Sources | TAXII feeds, CSV/JSON files, and cloud platforms (MISP, Anomali, etc.) |
| IOC Integration | Matches threat indicators via lookups and correlation searches |
| Threat Intelligence Manager | Dashboard for managing threat feed health and activity |
| KV Store Tables | Storage for IOCs, supports aging and enrichment |
| Threat Match Search | Real-time detection based on known indicators |
| Enrichment | Adds IOC metadata to matched events for better context and triage |
Threat Intelligence Framework (Additional Content)
1. TIF Integration with Risk-Based Alerting (RBA)
While the Threat Intelligence Framework (TIF) is commonly used to trigger Notable Events directly when indicators of compromise (IOCs) match, a more scalable and intelligent alternative is to route these matches through Risk-Based Alerting (RBA).
Integration Method:
Instead of creating a Notable Event, the match logic can:
Assign a risk score to the user or asset involved
Write the result to the
riskindexLet cumulative risk logic in RBA decide whether to escalate to an alert
Example Use Case:
| lookup threat_intel_by_ip ip AS src OUTPUT threat_type, confidence
| search confidence="high"
| eval risk_score=20
| collect index="risk"
This approach supports alert consolidation and prioritization. A single IP match may not trigger an alert, but multiple low-severity IOC matches over time could exceed the risk threshold and trigger escalation via RBA.
2. IOC Aging Strategy – Category-Based Expiry Policies
IOC freshness is critical. Old indicators can quickly become stale or irrelevant, especially in fast-moving threat environments.
TIF Aging Mechanism:
Splunk ES allows IOCs stored in KV Store collections to be aged out after a configurable time window.
Advanced Feature: Per-Type Aging Policy
You can set different aging durations for each IOC type by modifying the relevant configuration or processing logic.
Example policy strategy:
| Threat Type | Expiry Period |
|---|---|
| IP Address | 7 days |
| Domain Name | 14 days |
| File Hash | 30 days |
| Email IOC | 10 days |
These thresholds reflect how IP-based IOCs expire quickly (due to churn) while hashes remain valid longer.
Proper aging helps maintain relevance and performance, and reduces false positives from stale indicators.
3. IOC Validation – How to Confirm IOC Is Working
After adding threat intel data, it’s important to verify that:
The IOC is correctly indexed or inserted into the KV Store
It is actually being used by correlation searches or lookups
It can be matched against real data
a. Lookup Test via SPL
| inputlookup threat_intel_by_ip
| search ip="192.168.100.100"
This confirms that the IOC is present in the lookup table.
b. Search for IOC Matches in Events
index=* src="192.168.100.100"
| lookup threat_intel_by_ip ip AS src OUTPUT confidence
| search confidence=*
This validates that an event matches against the IOC table, and that enrichment is working.
c. Search for IOC Activity in the Threat Intelligence Audit
Splunk ES includes dashboards and indexes (e.g., index=introspection) where you can audit IOC ingestion status and error logs.
Summary of Enhancements
| Topic | Enhanced Explanation |
|---|---|
| IOC-RBA Integration | IOC matches can raise risk scores instead of generating Notable Events |
| Threat Type Aging Policies | IOC expiry can be customized per threat_type for optimal freshness |
| IOC Verification Techniques | Test IOC ingestion using SPL, validate match via lookup-based enrichment |
Frequently Asked Questions
What is the purpose of the Threat Intelligence Framework in Splunk Enterprise Security?
The Threat Intelligence Framework allows ES to ingest, manage, and correlate threat indicators such as malicious IP addresses, domains, and file hashes.
Threat intelligence feeds contain indicators associated with known malicious activity. ES ingests these indicators into lookup tables and compares them against incoming security events. When matches occur, ES can generate alerts or enrich investigations. This framework enables organizations to detect activity related to known threats within their environment.
Demand Score: 86
Exam Relevance Score: 90
What types of indicators are commonly used in threat intelligence feeds?
Common indicators include IP addresses, domain names, URLs, file hashes, and email addresses associated with malicious activity.
These indicators represent observable artifacts from cyber threats. When ES detects events containing these indicators, it flags the activity for investigation. Integrating threat intelligence feeds helps organizations detect threats that have been identified across the broader cybersecurity community.
Demand Score: 84
Exam Relevance Score: 86
How does Splunk ES detect threat intelligence matches?
ES compares incoming event data against threat intelligence lookup tables containing known malicious indicators.
When logs are ingested, ES searches event fields such as IP addresses or domains for matches against stored indicators. If a match occurs, ES can generate alerts or enrich existing notable events with threat intelligence context. This matching process enables proactive detection of known malicious infrastructure.
Demand Score: 82
Exam Relevance Score: 88
Why should threat intelligence feeds be updated regularly?
Regular updates ensure that detection logic uses the most recent threat indicators.
Threat infrastructure changes frequently as attackers rotate domains, IP addresses, and malware artifacts. Updating threat intelligence feeds ensures that ES detection logic reflects current threat intelligence. Stale feeds may cause the system to miss emerging threats or detect outdated indicators.
Demand Score: 78
Exam Relevance Score: 83
How can threat intelligence improve investigation workflows?
Threat intelligence enriches security events with contextual information about known malicious activity.
When ES detects an indicator match, it can attach additional context such as threat category, reputation score, or associated campaigns. This information helps analysts quickly understand the significance of an event and prioritize investigations. Threat intelligence enrichment reduces investigation time and improves detection accuracy.
Demand Score: 76
Exam Relevance Score: 84
What operational risk occurs if threat intelligence feeds are poorly managed?
Poorly managed feeds may introduce outdated or low-quality indicators that generate false positives.
Not all threat intelligence feeds maintain high data quality. If feeds contain unreliable indicators, ES may generate unnecessary alerts when benign systems match those indicators. Administrators should evaluate feed quality and filter indicators when necessary to maintain detection accuracy.
Demand Score: 74
Exam Relevance Score: 81
