Skip to main content
News

Use the Splunk Lookup Action for ThreatQ to Enrich Indicators and Create Events

  • November 12, 2025
  • 0 replies
  • 7 views
S
Forum|alt.badge.img

Problem

Analysts often need to correlate indicators of compromise (IOCs) across multiple systems to confirm threats and understand context. Without automation, this process can be time-consuming and fragmented.

Objective

This article explains how to use the Splunk Lookup Action for ThreatQ to query Splunk for logs related to a given IOC, enrich ThreatQ objects, and optionally create events based on related sightings.

Step-by-Step Solution

1. Overview

The Splunk Lookup Action allows analysts to perform direct lookups in Splunk from ThreatQ, retrieving contextual log data for a given indicator.

  • Queries Splunk for relevant log entries associated with the IOC.

  • Optionally creates events in ThreatQ based on related sightings.

  • Enhances investigation workflows by providing richer context for faster, more informed decision-making.

2. Key Capabilities

  • Splunk Lookup – Executes a lookup within Splunk to locate logs related to the submitted indicator.

  • Optional Event Creation – Can automatically create ThreatQ events based on sightings discovered in Splunk.

3. Supported Indicator Types

The action supports the following indicator types:

  • CVE

  • FQDN

  • IP Address

  • IPv6 Address

  • MD5

  • SHA-1

  • SHA-256

  • SHA-384

  • SHA-512

  • URL

4. Enriched Object Types Returned

When executed, the Splunk Lookup Action enriches and returns:

  • Events

  • Identities

  • Indicators

5. Requirements

  • Designed for use with ThreatQ TDR Orchestrator (TQO).

  • Requires an active TQO license.

6. Benefits

  • Enables seamless IOC lookups within Splunk directly from ThreatQ.

  • Reduces investigation time by correlating threat data with Splunk logs.

  • Provides enriched context to improve event creation and threat visibility.

  • Strengthens orchestration workflows through TQO integration.

Verification Checklist

✅ The Splunk Lookup Action executes successfully in ThreatQ.
✅ Returned data enriches indicator or event context.
✅ Optional event creation in ThreatQ functions as expected.

Related Documentation

Call to Action

Have questions or feedback? Share your experience with the Splunk Lookup Action in the comments below!

SecuriTay

0 replies

Be the first to reply!


Terms & ConditionsCookie settingsAccessibility statement