Hey there
Suppose it depends on what you want to achieve. For us, we just ingest our watchlist and feed data to Splunk, that way we are getting our core alerts and can alter our watchlists if we need to get anything more specific. This obviously means we can't use the full functionality of the app but really the alerts are all we want anyway. The cost of indexing all of that Cb data is too much so it's better to be specific. I also feel that for drilling down the CB response web interface is far more effective than using Splunk so we just pivot into that when needed.
... View more