📘

Version Requirement

Splunk: Version 8.2.x
ThreatConnect: Version 6.5.1 or newer

Overview

ThreatConnect® provides three Apps to support the Splunk® integration:

• Technical Add-on (TA) ThreatConnect Threat Intel
• ThreatConnect App for Splunk
• ThreatConnect App for Splunk Gateway
  Together, these three Apps give users the ability to integrate ThreatConnect’s intelligence, automation, analytics, and workflows into Splunk. Users can centralize their intelligence, establish process consistency, scale operations, measure their effectiveness in one place, and use that refined knowledge in Splunk to identify threats targeting their organization and take action to contain and remediate them with automated processes and workflows.

Key Features

• Customizable data model searches that produce dashboards for analyzing search results.
• Ability to ingest defined Indicators from ThreatConnect via ThreatConnect Query Language (TQL) queries.
• Ability to define Indicator collections with threat intelligence from ThreatConnect.
• Ability to report Indicators that match data model searches as observations in ThreatConnect.

Architecture

Considerations

Users will need an active ThreatConnect Application Programming Interface (API) account to
leverage the ThreatConnect App for Splunk.

Once an Organization in ThreatConnect has been licensed for API access, an Organization
Administrator will need to create an API User within the Organization prior to Splunk interfacing with the ThreatConnect API. For instructions on creating an API User, see the “Creating an API User” section of Creating User Accounts.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
Splunk® is a registered trademark of Splunk, Inc.