Splunk App Install, Configure, and Upgrade

This section describes how to install and configure the IntSights App for Splunk, an external app.

The following table shows the minimum server requirements:

Splunk Enterprise8.1.x, 8.2.x, 9.0.x
Operating systemLinux or Windows
System requirements- 12 core and 12 GB (minimum suggested by Splunk)- 16 core and 32 GB (recommended for optimal performance)
Supported Splunk deploymentsStandalone environment, Splunk Cloud (v2.0.0 or later), Splunk Distributed Deployment, or Splunk ES

Threat Command subscriptions

To integrate Threat Command data, you must have valid Threat Command subscriptions:

To integrate thisYou need a subscription to this Threat Command module
AlertsThreat Command
VulnerabilitiesVulnerability Risk Analyzer

Version updates

The following table shows version updates:

VersionChange description
2.4.0Added a Macros Configuration page to update macros. Added an "IOC Status" filter in IOCs input configuration page to collect IOC data according to selected IOC status. Added an IOC search filter and First Match Time column in the Correlation Details dashboard. Updated the IOCs retirement logic to consider IOCLastSeen field for retirement. Removed the "Verify SSL Certificate" checkbox from configuration page. Updated the retirement policy of IOCs for IOC type IP, Email, and Hash. Added a default value for the index field while creating the input. Made the Start date and Report date noneditable while editing input. Enhanced the log messages.
2.3.0Replaced the V1 whitelist endpoint with the V2 whitelist endpoint. Updated the Correlation Details dashboard to reflect the result count in the panel.
2.2.1Added the codependency on correlated time for the filters on the Correlation Details Dashboard.
2.2Modified the limit value for IOCs v2 route to 1000. Added co-dependency for the filters in IOC Correlation Details Dashboard. Enhanced the IOC correlation logic to improve performance. Added support for "PendingEnrichment" severity type for IOCs.
2.1Updated the IOC Splunk route from v1 to v2. Using the tags instead of Systemtags in knowledge objects and dashboards.
2.0Provided action field support on the Correlation dashboard for IOCs. Modified the IOC correlation saved searches to use stats command instead of table command. Migrated the TA with the latest AOB v4.1
1.3Support of Splunk Enterprise Security (ES) Support for Splunk v8.2.x New macro for creating alerts within Splunk on newly added Threat Command alerts. New macro for creating alerts within Splunk for correlated vulnerabilities.
1.2Added support for Threat Command Alerts and Vulnerabilities. Added macro to disable outgoing tags and comments for correlated IOCs.
1.1Filters were added to the Correlation Overview and Correlation Details dashboards. The Correlation Details dashboard shows many more details, and enables simple viewing of IOCs in the Threat Command IOCs page. Enhanced custom alert options. Bug fixes. Support for Splunk v8.1.x
1.0.2Minor bug fixes.
1.0.1IOCs are "retired" from the app, based on their last update date. Retired IOCs are not stored in Splunk and are not part of the correlation searches.

Before you can use the external app with Threat Command you need to add it.

Add external app

Before using an external app, you must add it. There are two parts to adding an app:

  • Your admin must enable the app for you to add.
  • After that, you add the external app.

To add an external app:

  1. From the main menu, select Automation > Integrations.
  2. From the Integrations page, click External.
    temporary placeholder
  3. Click Add new device.
  4. Select the Device type.
    A default name is added. If the external device to add isn't displayed, ask your admin to enable it for you.
  5. Click Add.

The new device is added.

Installing the IntSights Splunk App

The Splunk app can be installed as a cloud or an on-premises installation. Installation requires the Threat Command account ID and API key. This enables the Splunk app to connect with your Threat Command instance.


  • You have the Threat Command  account ID and API key, as described in API key and account ID.
  • You must be able to authenticate with Splunk Enterprise as an administrator.
  • You must have access to the Splunk App Store (for cloud installation) or the Splunkbase (for on-premises installation).

To install the IntSights Splunk App in the cloud:

  1. Log in to theSplunkbase store.https://store.servicenow.com/
  2. Download the IntSights Splunk App.
  3. To complete the installation, contact Splunk support.

The application is installed.

To install the IntSights Splunk App as an on-premises application:

  1. Log in to the Splunkbase.
  2. Download the IntSights Splunk App.
  3. Install, using either of the following methods:
    • Extract the ZIP file $SPLUNK_HOME/etc/apps/ folder
    • Install from the UI:
      1. From Splunk Enterprise, chooseApps > Manage Apps.
      2. Click Install app from file.
      3. Click Choose file and select the IntSights Splunk App installation file.
      4. Click Upload.
      5. Restart Splunk Enterprise.
Topologies according to the environment:
  1. Standalone Mode

* Install the IntSights Splunk App for Splunk.

* Configure an account and create modular input.

  1. Distributed Environment

* Install the IntSights Splunk App for Splunk on the Search Head, Indexer

and On-Premise/IDM/UF/HF.

* Configure an account on both Forwarder and Search Head.

* Create modular input only on Forwarder.

Note that for the distributed environment, only Forwarder indexes will be shown in the input configuration page.

The application is installed.

Configuring the IntSights Splunk App for Splunk account, proxy, and logging

After installation, you must configure the account. You can also configure the proxy (optional) and logging (optional).


  • The IntSights Splunk App for Splunk must be installed.

To configure the account, proxy, and logging:

  1. Log in to Splunk Enterprise as a system administrator.
  2. Select IntSights Splunk App for Splunk > Setup > Configuration.
    temporary placeholder
  3. In the Account  tab, enter the Threat Command account ID and API key.
  4. (Optional) To verify the SSL certificate, select that option.
  5. Click Save.
  6. (Optional) To set up the proxy, proceed as follows:
    1. Click the Proxy  tab.
    2. Enable the proxy and enter the required values.
    3. Click Save.
  7. (Optional) To set up logging, proceed as follows:
    1. Click the Logging  tab.
    2. Select the log level.
    3. Click Save.

The IntSights App for Splunk User Guide

Click here to download the IntSights App for Splunk User Guide.