Skip to main content

Cyware Intel Exchange App for Splunk – v4

Notice

Upgrade Notes: If you are upgrading from a version earlier than 4.0.0, direct upgrades are not supported. For detailed instructions, see Upgrade Notes.

The Cyware Intel Exchange Add-on for Splunk integrates Cyware Intel Exchange into your Splunk environment to support detection, correlation, and response workflows. It ingests indicators into a KV Store–based architecture, enabling efficient lookup, lifecycle management, and field-based correlation against Splunk events. The add-on supports multi-account configurations and provides operational capabilities that allow security teams to act on intelligence directly from Splunk.

This integration with Splunk offers the following capabilities:

  • Ingest threat indicators from one or more Cyware instances into Splunk.

  • Correlate indicators with Splunk events using field-based matching to identify sightings.

  • Enrich detections in Splunk Enterprise Security with Cyware intelligence.

  • Perform workflow actions such as creating indicators, updating status, managing allowlists, adding tags, creating tasks, and attaching notes.

  • Ingest indicators in bulk from Splunk indexes, data models, and lookups with automation support.

  • Automatically migrate legacy index-based data to KV Store lookups.

  • Automatically delete expired indicators to maintain data hygiene.

  • Monitor ingestion and correlation activity using prebuilt Indicator and Correlation Overview dashboards.

After you configure the add-on, Splunk begins polling indicators from Cyware Intel Exchange using the configured KV Store collections. The add-on automatically stores and updates indicator values in indicator-type–specific KV Store lookups, ensuring that the latest intelligence is available for correlation and detection.

To get started with the add-on, refer to the following sections:

  • Configure Add-on: Set up the integration between Cyware Intel Exchange and Splunk to enable the ingestion and correlation of threat intelligence data. For more information, see Configure the Intel Exchange App.

  • Use Actions: Perform actions on indicators, such as updating status, applying tags or allowlists, creating tasks, and adding notes to support operational workflows. For more information, see Manage Indicators Using Actions.

  • View Data: Access dashboards to monitor indicators and analyze threat intelligence within your Splunk environment. For more information, see View Dashboards.

Upgrade Notes

You cannot upgrade directly from versions earlier than 4.0.0 due to architectural changes. You must perform a new installation of Intel Exchange 4.0.0.

Steps

To upgrade from a version prior to 4.0.0, follow these steps:

  1. Uninstall the existing Intel Exchange add-on from your Splunk instance.

  2. Follow the installation instructions for v4.0.0 and configure your account, inputs, and correlation settings. For more information, see Configure the Intel Exchange App.

  3. If indicator data exists from the previous version, the add-on automatically migrates it using the saved search cyware_index_to_kvstore_migration. This search runs every 10 minutes, transfers data to the new KV Store lookups, and disables itself upon successful completion.

    Note

    Do not modify or execute this saved search manually.