Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Do I need to create a new correlation search to use threat intelligence?

irsysintegratio
Path Finder
‎07-11-2017 08:51 AM

Hello,

We are researching on integration with Splunk Enterprise Security (ES), and I have a question about threat intelligence.

I added a CSV file for threat intelligence download, and I can see that the ip address stored in the CSV file has been extracted successfully and added to the threat intelligent artifacts. My question is how to use this newly added IOC? Do I need to create a new correlation research to use it? Or will it be used automatically by Splunk ES built-in correlation search?

Thanks!

Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 08:59 AM

By default there is a correlation search that is pre-built into the system called Threat Activity Detected that can be turned on and run by default. You can modify it or create additional correlation searches if you would like.

0 Karma
Reply

irsysintegratio
Path Finder
‎07-11-2017 10:30 AM

The result of this pre-built correlation research is shown in the "Threat Activity Detected" dashboard? Somehow it does not work.
1. We added a simple CSV file with an IP address 10.122.25.51.
2. We verified that this IP address appears in the ip_intel. This means Splunk ES parsed the CSV file and extracted the IOC properly, right?
3. We verified that there are simulated active events with dest="10.122.25.51". But there is not notable event created. Threat Activity Detected dashboard does not show notable event caused by this IP address being detected.

Anything missing here? How can we debug this please?

Thanks!

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 10:43 AM

The default correlation would show in threat activity dashboard as well as would generate a notable event provided the correlation search is enabled and configured. There is a bit of housekeeping that is performed to prepare the data. I would take a look at the threat gen saved searches within ES, specifically Threat - Source And Destination Matches - Threat Gen and take a look at the search interval and also the search to ensure it runs. You can also look at the threat activity data model data and see what is in there as this is where the correlation search looks.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...