The USOM Threat Intelligence add-on integrates the Turkish Cybersecurity Presidency's TR-CERT threat-intelligence API into Splunk. It polls the USOM REST API on a configurable schedule and produces five lookup tables containing indicators of compromise: IP addresses, IPv6 addresses, IPv6 networks, domains, and URLs. The add-on resolves USOM's short threat-classification codes to English titles using companion API endpoints. For environments running Splunk Enterprise Security 7.0 or later, the add-on includes optional threatlist:// inputs that push these lookups into ES's threat intelligence framework for automated correlation. The add-on emits operational logs and per-cycle statistics events to aid monitoring and troubleshooting. On Search Head Clusters, the modular input automatically runs only on the captain and replicates lookup tables to members via bundle replication.