INTEGRATION / SIEM
Threat intelligence with Splunk in 2026: feed plumbing and cost
Splunk Enterprise Security integration patterns for threat intelligence in 2026: Recorded Future, Mandiant, MISP via TA-misp, Splunk SOAR (Phantom) automation, and the cost economics.
Last verified: May 2026. Independent reference. No vendor input.
Splunk ES threat-intelligence architecture
Splunk Enterprise Security has had a dedicated threat-intelligence framework since version 4.0 in 2016, and the framework has matured continuously. The architecture is three-layered: feed ingestion via Splunkbase apps or custom inputs, normalisation and storage in the threat_intel_collection KV store, and correlation via Splunk Enterprise Security correlation searches that automatically match events against the collection.
Feed ingestion is the configuration-heavy layer. Each commercial vendor publishes a Splunkbase app that handles their specific feed format: Recorded Future for Splunk, Mandiant Advantage for Splunk, Anomali Bridge, ThreatConnect TC Exchange, DomainTools for Splunk, and so on. The vendor apps abstract away the format-normalisation work; the user configures credentials, feed scope, and ingestion cadence in the app's configuration page.
For OSS feeds, the TA-misp add-on connects to a MISP instance and pulls events on a schedule. The CIRCL TAXII feed connector handles arbitrary STIX 2.1 sources. Custom feed connectors are written as modular inputs in Python; the Splunk SDK is well-documented and the pattern is straightforward for teams with one or two Python developers available.
The threat_intel_collection KV store stores indicators with metadata: source, confidence, type, expiry, tags. Correlation searches in Splunk ES then match events against the collection. The framework includes pre-built searches for common indicator types (malicious IPs, malicious domains, malicious hashes, malicious URLs); custom searches extend the framework for organisation-specific patterns. For the broader SIEM correlation pattern, see AI SIEM correlation.
Vendor app integration patterns
Recorded Future for Splunk
Pulls Insikt Group reporting, IoCs, and risk scores into Splunk threat_intel framework. Correlation searches fire on RF risk scores above defined thresholds. Pricing: app free, RF subscription required ($50k+ for Core).
Mandiant Advantage for Splunk
Pulls Mandiant Advantage indicators and adversary intelligence. Includes pre-built correlation content for Mandiant-tracked actors. Pricing: app free, Mandiant subscription required (custom, typically $40k-$200k+).
Anomali Bridge for Splunk
Bidirectional integration between ThreatStream and Splunk ES. ThreatStream-curated indicators flow into Splunk; SIEM events flow back to ThreatStream for analyst review. Pricing: app free, Anomali subscription required.
TA-misp (MISP add-on)
OSS path. Pulls MISP events into Splunk threat_intel framework. Free to use. Requires running a MISP instance (Hetzner or AWS self-hosted, $20-$200/mo).
VirusTotal for Splunk
Enrichment on demand via SPL macros. Hash and IP lookups in SOAR playbooks or analyst queries. Pricing: VirusTotal Intelligence subscription required.
DomainTools for Splunk
Risk-score and passive DNS enrichment in correlation searches. Pricing: DomainTools API subscription, query-volume metered.
Splunk SOAR (Phantom) automation
Splunk SOAR (formerly Phantom Cyber, acquired by Splunk in 2018) provides the playbook-driven automation layer that turns threat intelligence into operational action. Common SOAR-driven CTI workflows include alert enrichment, automated case creation, IoC blocking, and notification routing.
A typical enrichment playbook: a Splunk ES correlation search fires on an indicator match, the SOAR playbook receives the alert, queries MISP for additional context on the indicator, queries OpenCTI for related campaigns and actors, queries VirusTotal for vendor consensus, queries Recorded Future for risk score and Insikt reporting, queries DomainTools for passive DNS and risk score, then aggregates the enrichment into the alert ticket. The analyst opens a ticket pre-loaded with all the context they would have spent 15-30 minutes gathering manually.
SOAR is consumption-licensed in the current Cisco-owned Splunk pricing model. Common mid-size deployments run $40,000 to $150,000 per year for SOAR alone, separate from Splunk ES ingestion costs. The marginal cost of an additional playbook execution is negligible; the cost driver is the total volume of playbook actions per month.
For agentic SOC patterns that go beyond playbook-driven SOAR, see agentic SOC buildout. Splunk SOAR is rule-driven; the agentic layer reasons over unstructured data and proposes novel actions.
Cost economics: a Splunk-centric SOC
The total cost of a Splunk-centric SOC with AI threat intelligence in 2026 breaks down across four layers. The ranges below are for a 200 GB per day ingestion environment with a 5-10 analyst SOC, which is a common mid-market Splunk customer profile.
| Layer | Annual cost range | Notes |
|---|---|---|
| Splunk Enterprise Security (workload pricing) | $150,000 - $400,000 | Splunk Cloud Platform or Splunk Enterprise license. 200 GB/day reference profile. Cisco-owned pricing as of 2024. |
| Splunk SOAR | $40,000 - $150,000 | Consumption licensed. Mid-market deployment. |
| Splunk SOC Assistant (AI add-on) | $30,000 - $100,000 | AI-assisted SPL generation, alert summarisation. Pricing under consolidation in Cisco era. |
| Threat intelligence subscriptions | $50,000 - $250,000 | One commercial CTI (RecF Core or equivalent) plus OSS feeds. Add brand-protect or premium intel for higher end. |
| Total Splunk-centric SOC stack | $270,000 - $900,000 | All layers, 200 GB/day, 5-10 analyst SOC. Excludes analyst salaries. |
Source: Splunk Cisco-era pricing references (2024-2026), Vendr contract data composite, Splunkbase app listings. Last verified May 2026.
For the broader SIEM cost context, see siemcostcalculator.com. For SOC headcount and total operational cost, see securityoperationscost.com.
FAQ
How does Splunk Enterprise Security ingest threat intelligence?
Splunk ES has a built-in threat-intelligence framework that ingests indicators from STIX, TAXII, custom feeds, and vendor-specific Splunkbase apps. Indicators land in the threat_intel_collection KV store; correlation searches automatically match events against the collection. Vendor-specific apps (Recorded Future for Splunk, Mandiant Advantage for Splunk, Anomali Bridge) handle the heavier lifting of feed format normalisation, scoring, and per-feed configuration. The framework is mature and well-documented; the operational burden is mainly configuration discipline rather than integration friction.
What is the TA-misp app and what does it do?
TA-misp is the Splunkbase add-on that connects a MISP instance to Splunk Enterprise Security. It pulls MISP events at a configured cadence (commonly 15 to 60 minute intervals), normalises the indicators into Splunk's threat-intel format, and loads them into the threat_intel KV collection. Correlation searches in ES then match Splunk events against the MISP-derived indicators. The TA-misp app is the cleanest path for OSS-driven threat intelligence into Splunk and is the foundation of many hybrid OSS plus commercial CTI stacks in 2026.
Does Splunk SOC Assistant include threat-intel features?
Yes, since 2024 with continued expansion in 2025 and 2026. Splunk SOC Assistant (Cisco-owned since 2024) provides AI-assisted SPL query generation, alert summarisation, and threat-intel context surfacing for analysts working in Splunk ES. The integration draws on the threat_intel framework indicators already ingested into Splunk. Splunk SOC Assistant pricing is bundled in some Splunk ES contracts; for newer customers, it is increasingly available as a contract-line item with consumption-based billing.
What is the cost of Recorded Future for Splunk?
Recorded Future for Splunk is the Splunkbase app that integrates the Recorded Future Intelligence Cloud with Splunk Enterprise Security. The app itself is free to install; it requires an active Recorded Future subscription (Core tier minimum, typically $50,000 to $120,000 per year per the Recorded Future pricing reference) to provide usable intelligence. The app cost is therefore the underlying RF subscription. Many Splunk customers find that piping RF intelligence through the Splunk threat-intel framework is more cost-effective than running parallel feeds from RF and from a separate TIP.
How does Splunk SOAR (Phantom) integrate with threat intelligence?
Splunk SOAR (formerly Phantom) provides the playbook-execution layer that operationalises threat intelligence. Common SOAR-driven CTI workflows include: alert enrichment from MISP, OpenCTI, Recorded Future, and VirusTotal in a single playbook; automated case creation in TheHive or Jira when a high-confidence indicator fires; IoC blocking on firewalls or proxies when thresholds are met; and notification routing based on actor or campaign tags. SOAR is consumption-licensed; common mid-size deployments run $40,000 to $150,000 per year for SOAR alone, separate from Splunk ES.