I am subscribed to a 3rd party threat intelligence called Group-IB. I have the Group-IBapp for splunk installed on my search head.
My question is in regards to tuning as I have done very little to none. Should I expect that the threat intelligence that is streaming in is being ran against the events in my environment automatically? Assuming the threat intelligence is CIM compliant, should I expect that my Enterprise Security will make a notable event if there is a match?
Should I expect that the threat intelligence that is streaming in is being ran against the events in my environment automatically?
I would not expect that, most vendors don't intergrade with the Splunk ES threat intel framework they just make the TI data available in Splunk via a lookup file or by putting it in a index. If you want to be sure the TI info is flowing into the threat intel framework I suggest you add the data there either by revering to the app created lookup (if any), by creating your own lookup from the indexed data or by adding a TAXII/STIX feed.
See for more info:
Splunk Latern
Splunk Docs
thank you for your help
can you help in how to create my own lookup from the indexed IT
Thanks