https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Can-I-use-a-dynamic-threat/m-p/263545#M1977 <P>Any update guys ........................................</P> Tue, 06 Dec 2016 11:31:33 GMT sumitkathpal 2016-12-06T11:31:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Can-I-use-a-dynamic-threat/m-p/263544#M1976 <P>Hi All,</P> <P>Here is the scenario:</P> <P>Currently we are using custom threat intelligence in Splunk Enterprise Security to download the CSV file (Threat Intelligence from internet) which gets downloaded in path C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\local\data\threat_intel\ filename.csv and gets updated every 1 hour.</P> <P>Now we need to use this filename.csv (which is dynamic file as it get automatically updated).</P> <P>Can I use this dynamic file as a lookup to compare with firewall IP (If yes what are the steps to use the path mentioned above), as we are developing our app for threat intelligence? Or are there other options we can use?</P> <P>Thanks in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Happy Splunking </P> Tue, 06 Dec 2016 06:45:32 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Can-I-use-a-dynamic-threat/m-p/263544#M1976 sumitkathpal 2016-12-06T06:45:32Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Can-I-use-a-dynamic-threat/m-p/263545#M1977 <P>Any update guys ........................................</P> Tue, 06 Dec 2016 11:31:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Can-I-use-a-dynamic-threat/m-p/263545#M1977 sumitkathpal 2016-12-06T11:31:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Can-I-use-a-dynamic-threat/m-p/263546#M1978 <P>Hi</P> <P>have you seen/followed this link <A href="http://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists">http://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists</A><BR /> specifically the "Adding a custom source", choosing a ip type</P> <P>and yes, you can use it as a lookup, in ES dashboard, ...</P> Tue, 06 Dec 2016 21:52:16 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Can-I-use-a-dynamic-threat/m-p/263546#M1978 maraman_splunk 2016-12-06T21:52:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Can-I-use-a-dynamic-threat/m-p/263547#M1979 <P>You could use the entire threat framework to do this. Make sure the threat intel download settings are correctly pulling into the ip_intel threat collection. The key is making sure the fields value is configured correctly. If I had a comma delimited file with description, ip the fields value might look like ip:$2 and the delimiter is ,</P> <P>Once the data comes in cleanly to threat artifacts the lookup gen and threat gen will handle the data just like the built in threat intel and the data gets correlated with all logs not just firewall. Additional refinement could then be done to limit to just firewall.</P> <P>There are other ways to solve it but this can leverage all the development that is already in place.</P> Thu, 08 Dec 2016 18:52:40 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Can-I-use-a-dynamic-threat/m-p/263547#M1979 jstoner_splunk 2016-12-08T18:52:40Z