Building Threat Intelligence Enrichment in Splunk

Overview

Splunk's Threat Intelligence Framework in Enterprise Security enables SOC teams to automatically correlate indicators of compromise (IOCs) against security events. The framework ingests threat feeds, normalizes indicators into KV Store collections, and uses lookup-based correlation searches to flag matching events. Splunk Threat Intelligence Management centralizes collection, normalization, and enrichment from multiple sources, reducing triage time by providing analysts with immediate context.

When to Use

• When deploying or configuring building threat intelligence enrichment in splunk capabilities in your environment
• When establishing security controls aligned to compliance requirements
• When building or improving security architecture for this domain
• When conducting security assessments that require this implementation

Prerequisites

• Splunk Enterprise Security (ES) 7.x or later
• Threat Intelligence Management add-on or Threat Intelligence Framework
• API keys for external threat intelligence feeds (MISP, OTX, VirusTotal, AbuseIPDB)