Skip to main content
Ctrl+K
Logo image Logo image

EclecticIQ Intelligence Center 3.0.4

Site Navigation

  • Release notes
  • Install Configure Upgrade
  • Get to know EclecticIQ Intelligence Center
  • Work with intelligence
  • Integrations

Section Navigation

  • EclecticIQ Integrations Life Cycle Policy
  • Extensions
    • Enrichers
      • About enrichers
      • Configure enrichers
      • Run enrichers
      • Rules for enrichers
      • Saving data
    • Incoming Feeds
      • Access incoming feeds
      • Create and configure incoming feeds
      • Start and stop incoming feeds
      • Reingest incoming feeds
      • Delete incoming feed content and configuration
    • Outgoing feeds
      • About outgoing feeds
      • Access outgoing feeds
      • Configure content types
      • Download outgoing feed created packages
      • Create and configure outgoing feeds
      • Start and stop outgoing feeds
  • Apps
    • Exchange data between platforms
      • Exchanging data between EclecticIQ Intelligence Center instances
      • Create an automation role
      • Create an automation user
      • Create an automation group
      • Create a TAXII outgoing feed
      • Create a TAXII incoming feed
      • About ingestion discrepancies
    • External documentation
    • Arcsight
      • About the Arcsight integration
      • Get data from EclecticIQ Intelligence Center to Arcsight
        • Installation of Smart Connector(s)
        • Configure Intelligence Center
        • Import the EclecticIQ base content package in ESM
        • Incoming events
        • EclecticIQ Platform connector field mappings
      • Create sightings and lookups from ArcSight to EclecticIQ Intelligence Center
        • CounterACT connector installation and configuration
        • Create Entity Command
    • IBM QRadar SOAR
      • About the IBM Resilient integration
      • Before you start with IBM Resilient
      • Install EclecticIQ Platform Integration
      • Configure Intelligence Center Integration
      • Bootstrap Intelligence Center Integration
      • Run resilient-circuits as a service
      • Configure manual sighting creation
      • Manually create sightings
      • Create artifacts and search for matches
      • Upgrade EclecticIQ Platform Integration
      • Uninstall EclecticIQ Platform Integration
      • Release notes - IBM Resilient integration
        • Release notes - IBM Resilient integration 1.1.5
        • Release notes - IBM Resilient integration 1.1.3
        • Release notes - IBM Resilient integration 1.1.2
        • Release notes - IBM Resilient integration 1.0.3
    • IBM QRadar (Legacy)
      • Release notes - IBM QRadar integration
        • Release notes - IBM QRadar integration 1.3.2
        • Release notes - IBM QRadar integration 1.3.3
        • Release notes - IBM QRadar integration 1.3.4
        • Release notes - IBM QRadar integration 1.3.5
      • About the Threat Intelligence EclecticIQ Platform App for IBM QRadar
      • Install and Configure the app on QRadar
      • Upgrade the app on QRadar
      • Configure the QRadar app for Fusion Center
      • Work with the app on QRadar
    • ServiceNow
      • Configure
        • Prepare EIQ IC
        • Prepare ServiceNow
      • Use
        • Export Incidents to EIQ IC
        • Export Observables to EIQ IC
        • Lookup Observables in SNOW
    • Splunk SOAR
      • Configure
        • Configure your Intelligence Center
        • Install the Splunk SOAR app
        • Configure the Splunk SOAR app
      • Use
        • Create Entities
        • Enrich Entities
        • Search IC
        • Ingest Entities into Splunk SOAR
    • Splunk Phantom (Legacy)
      • Get started with the Splunk Phantom integration
      • Release notes - Splunk Phantom integration
  • Threat Scout
    • Scanning for intelligence
    • Exporting intelligence
      • Intelligence Center export settings
    • Connecting to OpenAI or Intelligence Center
    • Release notes
      • 1.0.0

Splunk SOAR | Use | Search#

The Splunk SOAR integration with EclecticIQ Intelligence Center (EIQ IC) allows you to search the Entities in IC from Splunk SOAR.

A search query will always return Entities with their:

  • Title

  • Type

  • Description

  • Source

  • Tags

  • Related Entities

  • Connected Observables with Type and Maliciousness

The table below shows the kinds of search strings you can enter, as well as the filtering it applies to the results.
You can concatenate with AND logic.

Search string

Filters to

(Partial) Entity Title

Only Entities matching that Title.

Entity Type (dropdown)

Only Entities of that type.

Observable Value

Only Entities connected to that Observable.

Alternatively, you can search for an exact Entity UUID, e.g.: a86f8393-eff6-4b31-b203-f63152be5a43. This retrieves that specific Entity (meaning additional filters like Type or Title aren’t necessary).

previous

Splunk SOAR | Use | Enrich

next

Splunk SOAR | Use | Ingest