The Splunk Lookup Action for ThreatQ allows an analyst to query Splunk for more information about a given IOC.

The integration provides the follow action:

• Splunk Lookup - performs a lookup within Splunk to locate logs related to the submitted indicator as well as optionally create events based on related sighting information.

The action is compatible with the following indicator types:

• CVE
• FQDN
• IP Address
• IPv6 Address
• MD5
• SHA-1
• SHA-256
• SHA-384
• SHA-512
• URL

The action returns the following enriched object types:

• Events
• Identities
• Indicators

Note: This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.