Comparing open source and premium intelligence sources in Splunk Mission Control
External intelligence sources
External intelligence sources provide information about maliciousness through feeds and reports on actors, campaigns, and malware based on external knowledge. Most intelligence sources report data including IP addresses and URLs, and others report malware-focused information, such as MD5, SHA1, and SHA256. These external intelligence sources can be useful for calibrating on the maliciousness of threats in the context of larger cybersecurity space.
Threat Intelligence Management offers two types of external sources:
| Type of external source | Description | 
|---|---|
| Open source | These intelligence sources are available to anyone without any type of access key or subscription fee. These sources include blogs, RSS feeds, and open APIs. Open sources are less curated and monitored, which can increase the signal-to-noise ratio and provide less value because the burden of data cleanup and analysis largely falls on the end user. | 
| Premium intelligence source | These intelligence sources are closed sources that are available only if you have a paid license or subscription with a third-party provider or if you hold membership in a group such as an ISAC or ISAO. These sources are curated and enriched by the third-party providers and typically supply more value and usable intelligence to the end user. Threat Intelligence Management's premium intelligence sources include both third-party providers and groups like FS-ISAC. | 
External intelligence sources can fall into one of the following two categories based on how its information updates:
- Feed-based: Automatically polls the external intelligence source provider for new updates.
- Query-based: Submits a new report and sends queries to the external intelligence source provider.
In Splunk Mission Control, all external intelligence sources are feed-based.
Feed-based sources
A feed-based intelligence source automatically and regularly updates because the source provider streams all of the information without the user requesting updates manually. The update interval can be anywhere from 10 minutes to 24 hours.
Reports in a feed-based data repository can focus on a single observable or multiple observables. Reports usually include multiple observables, their relationships to each other, and their relationships to security events, malware, or threat-actors.
See also
You can use intelligence sources to enrich incident data in Splunk Mission Control by activating the sources you want to use. See Activate intelligence source integrations from Splunk Mission Control to import threat intelligence data into Threat Intelligence Management.