Manage Indicators Using Actions
Workflow actions enable you to interact with the Cyware Intel Exchange platform directly from Splunk. Using these actions, you can manage indicators, update statuses, add notes or tags, and more to support threat investigation and incident response workflows. The following actions are supported:
Use this workflow action to add indicators to the Intel Exchange allowlist so they are not flagged as malicious. When you add an indicator to the allowlist, Intel Exchange treats it as benign and does not trigger alerts or correlations. You can use this action to allowlist known-good indicators such as internal IP addresses, legitimate domains, or trusted file hashes.
Steps
To add an indicator to the allowlist, follow these steps:
From the Actions dropdown, select Add Indicator to Allowlist.
Use the following information:
Indicator Value: Enter the value of the indicator that you want to add to the allowlist. For example, 192.168.1.1
Indicator Type: Select the appropriate indicator type. For example, IPv4 Address
Reason for Adding to Allowlist: Enter a reason for adding the indicator to the allowlist. The default value is Added from Splunk.
Splunk Account: Select the account configured with Cyware Intel Exchange credentials.
Click Submit.
After you submit the request, you can view the status of the operation in the results.
Use this workflow action to create a new indicator in Cyware Intel Exchange directly from Splunk. When you add an indicator, you can include metadata, helping you share threat intelligence with your organization while providing context and classification for the indicator.
Steps
To add a new indicator, follow these steps:
From the Actions dropdown, select Add New Indicator.
Provide the following information:
Title: Enter a descriptive title for the indicator. The default value is Added from Splunk.
Indicator Type: Select the type of indicator. For example, IPv4 Address.
Indicator Value: Enter the value of the indicator. For example, 192.168.1.1
Confidence: Enter a confidence score between 0 and 100 to indicate the reliability of the indicator. The default value is 100.
TLP: Select the appropriate Traffic Light Protocol classification. The default value is AMBER.
Tags: Enter comma-separated tags to categorize the indicator.
Note
The tag created_from_splunk is automatically added to indicators created using this workflow action.
Deprecates after (in days): Enter the number of days after which the indicator is automatically deprecated. The default value is 180.
Splunk Account: Select the account configured with Cyware Intel Exchange credentials.
Click Submit.
After you submit the request, you can view the status of the operation in the results.
Use this workflow action to ingest multiple indicators from Splunk data sources into Cyware Intel Exchange. You can extract indicators from indexes, Common Information Model (CIM) data models, custom data models, or lookup files and optionally enable automated ingestion to continuously sync indicators with Intel Exchange.
Steps
To add indicators in bulk from a data source, follow these steps:
From the Actions dropdown, select Add Indicators in Bulk from Data Source.
In the Type field, select the data source type. Supported options include Index, CIM, Custom Datamodel, and Lookup.
In Splunk Account, select the account configured with Cyware Intel Exchange credentials.
In the Details for type section, use the following information to configure the source based on the selected type:
Lookup
Lookup Name: Select the lookup file that contains the indicators.
Field of Indicator: Enter the column that contains the indicator values.
Index
Index Name: Select the Splunk index that contains the indicators.
Sourcetype: Select a source type to filter events.
Field of Indicator: Enter the field that contains the indicator values.
CIM
CIM Data Model Name: Select the CIM data model.
Field Name: Select the field that contains the indicator values.
Custom Datamodel
Data Model Name: Select the custom data model.
Field Name: Enter the field containing the indicator values using the full path format: DataModel.SubDataModel.DataSet.FieldName.
In the Metadata of Indicators section, provide the following information:
Source Name: Enter a name for this bulk source.
Description: Enter a description for the indicator set.
TLP: Select the Traffic Light Protocol classification. The default value is AMBER.
Confidence Score: Enter a confidence value between 0 and 100. The default value is 100.
Tags: Enter comma-separated tags.
Collection Name: Specify the collection where indicators will be stored. The default value is Splunk Collection.
In the Automation Settings section, configure automated ingestion if required using the following information:
Select Enable Automated Ingestion to periodically sync indicators from the selected source.
In Automation Source Name, enter a unique name for the automation rule.
Tip
Use a unique Automation Source Name for each source to avoid conflicts in checkpointing.
Click Submit.
After you submit the request, you can view the status of the operation in the results.
Use this workflow action to add notes to indicators in Cyware Intel Exchange. Notes help you document investigation findings, provide context about indicators, and share information with other analysts.
Steps
To add a note to an indicator, follow these steps:
From the Actions dropdown, select Add Note to Indicator.
Use the following information:
Indicator ID: Enter the Intel Exchange indicator ID in UUID format. You can obtain the indicator ID from the Correlation Overview dashboard.
Note Content: Enter the note that you want to add to the indicator. You can document investigation findings, record analyst decisions, or provide additional context about the indicator.
Splunk Account: Select the account configured with Cyware Intel Exchange credentials.
Click Submit.
After you submit the request, you can view the status of the operation in the results.
Use this workflow action to view and manage indicators in the allowlist of Cyware Intel Exchange. You can retrieve the list of indicators, review details such as who added them and when, and remove indicators from the allowlist if required.
Steps
To view or update allowed indicators, follow these steps:
From the Actions dropdown, select Get/Update Allowed Indicators.
In Splunk Account, select the account configured with Cyware Intel Exchange credentials.
Click Submit to retrieve the list of allowlisted indicators.
Review the indicators displayed in the results. The list includes the indicator value, type, the user who added it, and the timestamp when it was added.
To remove an indicator from the allowlist, locate the indicator in the results and click Click me to Remove in the Action column.
After you submit the request or remove an indicator, you can view the status of the operation in the results.
Use this workflow action to add or remove tags from indicators in Cyware Intel Exchange. Tags help classify and organize indicators, making them easier to search, filter, and manage during threat investigations.
Steps
To add or remove tags, follow these steps:
From the Actions dropdown, select Add/Remove Tags from Indicator.
Use the following information:
Indicator ID: Enter the Intel Exchange indicator ID in UUID format.
Splunk Account: Select the account configured with Cyware Intel Exchange credentials.
Action: Select the action you want to take using the following information:
Select Add Tags to assign new tags to the indicator.
Select Remove Tags to remove existing tags from the indicator.
Tags: Based on the selected action, select the tags:
Select Tags to Add: Choose one or more tags to add to the indicator.
Select Tags to Remove: Choose one or more tags currently assigned to the indicator that you want to remove.
Click Submit.
After you submit the request, you can view the status of the operation in the results.
Use this workflow action to update the status of indicators in Cyware Intel Exchange. You can change the indicator status during its lifecycle.
Steps
To update the status of an indicator, follow these steps:
From the Actions dropdown, select Update Indicator Status.
Use the following information:
Indicator ID: Enter the indicator ID in UUID format.
Indicator Status: select the status action you want to apply. Available options are Deprecate, Undeprecate, Mark False Positive, Unmark False Positive, Manual Review, and Manually Reviewed.
If you select Undeprecate, enter the number of days in Undeprecate Until (in days) to specify how long the indicator should remain active before it is deprecated again. The default value is 180.
Splunk Account: Select the account configured with Cyware Intel Exchange credentials.
Click Submit.
After you submit the request, you can view the status of the operation in the results.
Use this workflow action to create and assign tasks for indicators in Cyware Intel Exchange. Tasks help you track investigation progress, assign responsibilities to analysts, and manage remediation activities associated with specific indicators.
Steps
To create a task for an indicator, follow these steps:
From the Actions dropdown, select Create Task in Intel Exchange.
Use the following information:
Indicator ID: Enter the indicator ID in UUID format.
Task Description: Enter a description of the task.
Priority: Select the priority level for the task.
Status: Select the initial task status. The default value is Not Started.
Deadline: Enter the number of days within which the task should be completed. The default value is 10.
Assignee: Select a user to assign the task. To create an unassigned task, select None.
Splunk Account: Select the account configured with Cyware Intel Exchange credentials.
Click Submit.
After you submit the request, you can view the status of the operation in the results.
Frequently Asked Questions (FAQs)
The following Cyware Intel Exchange API endpoints are used by Splunk to perform workflow actions on indicators:
Method | Endpoint | Description |
|---|---|---|
GET |
| Verify connectivity between Splunk and Intel Exchange |
GET |
| Retrieves enrichment and relationship data for indicators |
GET |
| Retrieves the Saved Result Set rules configured in Intel Exchange |
GET |
| Retrieves details for indicators stored in Intel Exchange |
GET |
| Retrieves details for a specific indicator |
GET |
| Retrieves the list of available tags that can be associated with indicators |
GET |
| Retrieves indicators that are currently present in the allowlist |
POST |
| Adds notes to indicators for tracking and collaboration |
POST |
| Creates tasks associated with indicators to support operational workflows |
POST |
| Creates new tags in Intel Exchange |
POST |
| Ingests or creates new indicator records in Intel Exchange |
POST |
| Adds one or more tags to indicators from Splunk |
POST |
| Removes tags from indicators through bulk actions |
POST |
| Performs bulk operations on indicators |
POST |
| Looks up existing indicators and creates new indicators in bulk when they do not exist |
POST |
| Adds indicators to the allowlist to prevent them from being flagged during analysis |
POST |
| Performs operations on indicators present on the allowlist |
POST |
| Creates a STIX-formatted indicator with associated metadata in Intel Exchange |