Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular inputs, and the Threat Intelligence Framework.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionbuilding-threat-intelligence-enrichment-in-splunkExecute the skills CLI command in your project's root directory to begin installation:
Fetches building-threat-intelligence-enrichment-in-splunk from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate building-threat-intelligence-enrichment-in-splunk. Access via /building-threat-intelligence-enrichment-in-splunk in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | building-threat-intelligence-enrichment-in-splunk |
| description | Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular inputs, and the Threat Intelligence Framework. |
| domain | cybersecurity |
| subdomain | soc-operations |
| tags | - splunk - threat-intelligence - enrichment - ioc - lookup - siem - soc - enterprise-security |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - DE.CM-01 - DE.AE-02 - RS.MA-01 - DE.AE-06 |
Splunk's Threat Intelligence Framework in Enterprise Security enables SOC teams to automatically correlate indicators of compromise (IOCs) against security events. The framework ingests threat feeds, normalizes indicators into KV Store collections, and uses lookup-based correlation searches to flag matching events. Splunk Threat Intelligence Management centralizes collection, normalization, and enrichment from multiple sources, reducing triage time by providing analysts with immediate context.
External TI Sources (STIX/TAXII, CSV, API)
|
v
Modular Inputs (download and parse feeds)
|
v
KV Store Collections (normalized IOC storage)
|-- ip_intel
|-- domain_intel
|-- file_intel
|-- url_intel
|-- email_intel
|
v
Threat Intelligence Lookups
|
v
Correlation Searches (match events against IOCs)
|
v
Notable Events (enriched with TI context)
# inputs.conf - TAXII feed configuration
[threatlist://taxii_feed_example]
description = TAXII 2.1 Threat Feed
type = taxii
url = https://threatfeed.example.com/taxii2/
collection = threat-indicators-v21
polling_interval = 3600
api_key = <encrypted_api_key>
disabled = false
# inputs.conf - CSV threat list
[threatlist://custom_blocklist]
description = Internal threat blocklist
type = csv
url = https://internal.company.com/threat-feeds/blocklist.csv
polling_interval = 1800
disabled = false
# bin/threatfeed_otx.py - OTX AlienVault feed collector
import json
import sys
import requests
from splunklib.modularinput import Script, Scheme, Argument, Event
class OTXFeedInput(Script):
def get_scheme(self):
scheme = Scheme("OTX AlienVault Feed")
scheme.description = "Collects IOCs from AlienVault OTX"
scheme.use_external_validation = False
scheme.streaming_mode = Scheme.streaming_mode_xml
api_key_arg = Argument("api_key")
api_key_arg.data_type = Argument.data_type_string
api_key_arg.required_on_create = True
scheme.add_argument(api_key_arg)
pulse_days_arg = Argument("pulse_days")
pulse_days_arg.data_type = Argument.data_type_number
pulse_days_arg.required_on_create = False
scheme.add_argument(pulse_days_arg)
return scheme
def stream_events(self, inputs, ew):
for input_name, input_item in inputs.inputs.items():
api_key = input_item["api_key"]
pulse_days = int(input_item.get("pulse_days", 30))
headers = {"X-OTX-API-KEY": api_key}
url = f"https://otx.alienvault.com/api/v1/pulses/subscribed?modified_since={pulse_days}d"
try:
response = requests.get(url, headers=headers, timeout=60)
response.raise_for_status()
data = response.json()
for pulse in data.get("results", []):
for indicator in pulse.get("indicators", []):
event = Event()
event.stanza = input_name
event.data = json.dumps({
"indicator": indicator["indicator"],
"type": indicator["type"],
"pulse_name": pulse["name"],
"pulse_id": pulse["id"],
"description": indicator.get("description", ""),
"created": indicator.get("created", ""),
"threat_source": "OTX",
"confidence": pulse.get("adversary", "unknown"),
})
ew.write_event(event)
except requests.RequestException as e:
ew.log("ERROR", f"OTX feed collection failed: {str(e)}")
if __name__ == "__main__":
sys.exit(OTXFeedInput().run(sys.argv))
# collections.conf
[ip_threat_intel]
field.ip = string
field.threat_type = string
field.confidence = number
field.source = string
field.description = string
field.first_seen = time
field.last_seen = time
field.severity = string
[domain_threat_intel]
field.domain = string
field.threat_type = string
field.confidence = number
field.source = string
field.whois_registrar = string
field.whois_created = string
[file_hash_intel]
field.file_hash = string
field.hash_type = string
field.malware_family = string
field.confidence = number
field.source = string
field.detection_names = string
# transforms.conf
[ip_threat_intel_lookup]
external_type = kvstore
collection = ip_threat_intel
fields_list = ip, threat_type, confidence, source, description, severity
[domain_threat_intel_lookup]
external_type = kvstore
collection = domain_threat_intel
fields_list = domain, threat_type, confidence, source
[file_hash_intel_lookup]
external_type = kvstore
collection = file_hash_intel
fields_list = file_hash, hash_type, malware_family, confidence, source
| tstats summariesonly=true count from datamodel=Network_Traffic
where All_Traffic.action=allowed
by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port, _time span=5m
| rename "All_Traffic.*" as *
| lookup ip_threat_intel_lookup ip as dest_ip OUTPUT threat_type, confidence, source as ti_source, severity as ti_severity
| where isnotnull(threat_type)
| lookup asset_lookup ip as src_ip OUTPUT asset_name, asset_owner, asset_priority
| eval urgency=case(
ti_severity=="critical" AND asset_priority=="critical", "critical",
ti_severity=="high" OR asset_priority=="critical", "high",
ti_severity=="medium", "medium",
true(), "low"
)
| eval description="Connection from ".src_ip." (".asset_name.") to known malicious IP ".dest_ip." (".threat_type.") - Source: ".ti_source
index=dns sourcetype=stream:dns query_type=A OR query_type=AAAA
| lookup domain_threat_intel_lookup domain as query OUTPUT threat_type as domain_threat, confidence as domain_confidence, source as ti_source
| where isnotnull(domain_threat) AND domain_confidence > 70
| stats count dc(src_ip) as unique_sources values(src_ip) as source_ips by query, domain_threat, ti_source
| eval severity=case(domain_confidence > 90, "critical", domain_confidence > 70, "high", true(), "medium")
| eval description="DNS queries to malicious domain ".query." from ".unique_sources." hosts - Threat: ".domain_threat
index=endpoint sourcetype=sysmon EventCode=1
| lookup file_hash_intel_lookup file_hash as Hashes OUTPUT malware_family, confidence as hash_confidence, source as ti_source
| where isnotnull(malware_family)
| stats count values(ParentCommandLine) as parent_commands by Computer, User, Image, malware_family, ti_source
| eval severity="critical"
| eval description="Known malware ".malware_family." executed on ".Computer." by ".User." - Binary: ".Image
index=firewall sourcetype=pan:traffic action=allowed
| eval indicators=mvappend(src_ip, dest_ip)
| mvexpand indicators
| lookup ip_threat_intel_lookup ip as indicators OUTPUT threat_type as ip_threat, confidence as ip_confidence, source as ip_ti_source
| lookup geo_ip_lookup ip as indicators OUTPUT country, city, latitude, longitude
| lookup whois_lookup ip as indicators OUTPUT org as ip_org, asn as ip_asn
| where isnotnull(ip_threat)
| stats count
values(ip_threat) as threat_types
values(ip_ti_source) as intel_sources
values(country) as countries
values(ip_org) as organizations
latest(_time) as last_seen
earliest(_time) as first_seen
by src_ip, dest_ip, dest_port
| eval enrichment_context="Threat: ".mvjoin(threat_types, ", ")." | Geo: ".mvjoin(countries, ", ")." | Org: ".mvjoin(organizations, ", ")
| inputlookup ip_threat_intel_lookup
| stats count by source, threat_type
| sort -count
| head 20
| inputlookup ip_threat_intel_lookup
| eval age_days=round((now() - strptime(last_seen, "%Y-%m-%dT%H:%M:%S")) / 86400, 0)
| stats count avg(age_days) as avg_age_days max(age_days) as max_age_days by source
| eval status=case(avg_age_days > 30, "STALE", avg_age_days > 7, "AGING", true(), "FRESH")
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
building-threat-intelligence-enrichment-in-splunk has been reliable in day-to-day use. Documentation quality is above average for community skills.
Registry listing for building-threat-intelligence-enrichment-in-splunk matched our evaluation — installs cleanly and behaves as described in the markdown.
building-threat-intelligence-enrichment-in-splunk is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Useful defaults in building-threat-intelligence-enrichment-in-splunk — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: building-threat-intelligence-enrichment-in-splunk is focused, and the summary matches what you get after install.
building-threat-intelligence-enrichment-in-splunk reduced setup friction for our internal harness; good balance of opinion and flexibility.
I recommend building-threat-intelligence-enrichment-in-splunk for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
I recommend building-threat-intelligence-enrichment-in-splunk for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
building-threat-intelligence-enrichment-in-splunk reduced setup friction for our internal harness; good balance of opinion and flexibility.
We added building-threat-intelligence-enrichment-in-splunk from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 31