Threat intelligence KV Store collections in Splunk Enterprise Security
Splunk Enterprise Security uses dedicated key-value (KV) collections to store and manage threat intelligence indicators for enrichment, detections, and investigation workflows. Each collection organizes threat data by type, allowing fast lookups and consistent normalization across the Splunk platform.
Threat Intelligence Management maintains and optimizes these collections through automatic retention controls and storage limits that help keep Splunk Enterprise Security perform efficiently.
The following table describes the KV collections used to store threat intelligence in Splunk Enterprise Security.
| KV Collection | Description |
|---|---|
| certificate_intel | Stores certificate-based indicators, such as certificate fingerprints and related metadata. |
| email_intel | Contains email address indicators used for phishing and sender reputation detection. |
| file_intel | Stores file hash indicators, such as MD5, SHA1, SHA256, and related file metadata to support malware identification. |
| http_intel | Contains URL and HTTP-based indicators used for detecting malicious or suspicious web activity. |
| ip_intel | Stores IP address and CIDR-based indicators for correlating network traffic against known threats. |
| process_intel | Contains process-related threat indicators, such as suspicious process names or executable paths. |
| registry_intel | Stores registry key indicators used to detect persistence mechanisms or unauthorized system changes. |
| service_intel | Contains indicators related to suspicious system services or service configurations. |
| user_intel | Stores user account–level indicators, such as known compromised usernames or anomalous accounts. |
Data retention and storage limits
Threat Intelligence Management applies retention and storage boundaries to ensure that KV collections remain optimized for performance and do not grow beyond manageable limits.
- Time-based retention: 60 days
- Data size limit: 0.5 GB per collection
Splunk Enterprise Security automatically removes older indicators when they exceed retention or size thresholds. This helps ensure that threat data remains up-to-date, improves lookup speed, and prevents overconsumption of storage resources.