Review records from native threat collections in Splunk Enterprise Security

Note: You can see records from native threat collections only if your organization accumulated data in the legacy Threat Intelligence Framework of Splunk Enterprise Security. For information on Threat Intelligence Management (Cloud) versus the Threat Intelligence Framework, see Overview of threat intelligence in Splunk Enterprise Security.
Review data from the legacy Threat Intelligence Framework (TIF) in Splunk Enterprise Security to help you investigate security incidents. Select an observable to see a list of records from TIF KV Store collections that pertain to it. You can select any of the records in that list to see the full content of that record.

Surfacing data from TIF in the Intelligence tab means that regardless of your threat intelligence system, you can see all intelligence data together in one place, which unifies your threat intelligence so you can investigate faster.
  1. In Splunk Enterprise Security, select Mission Control.
  2. Select an investigation from the analyst queue to open the side panel.
  3. Select View investigation to open the investigation overview page.
  4. Select the Intelligence tab.
  5. Select an observable from the list.
  6. Expand the section called All records from native threat collections. You can select any of these records to find key-value pairs such as domains, IPs, indicators, and metadata.
Note: The Threat Intelligence Management (Cloud) system also creates records in the TIF KV Store collections for all the observables present in an active threatlist. Information you see in the observable details section does not duplicate in the native threat collection section.