Hi,
We use Splunk Enterprise Security (ES) and in our DATA Enrichment --> List and look Ups, we have the below lists which are completely blank:
Local Certificate Intel
Local Domain Intel
Local Email Intel
Local File Intel
Local HTTP Intel
Local IP Intel
What i see in the ES dashboard is that legitimate websites (e.g. outlook.live.com) are being flagged under the malicious domains group.
I see ip_intel and file_intel as the most active threat collections. I think these are being flagged incorrectly since these feeds/lists are blank.
Should this go away if i were to disable these lists?
Also is there a recommended source from where i could populate and regularly update these lists.
Help in the right direction would me much appreciated.
Abbas
... View more