All Apps and Add-ons

Anomali integration with Splunk not working

smithahc1966
New Member

Hi,

We have an integration setup for ThreatStream Anomali app and Splunk ES. This was done previously from someone else. At the moment, I see million events coming in. But I want to fine tune the search filter which I can do it on ThreatStream ANomali app.

Currently the filter is (status="active") AND (Confidence>=90) AND (Created_ts>=5d) AND (itype!="scan_ip" AND itype!="compromised_email" AND itype!="mal_md5"). and it's pulling unnecessary logs.

I would like to know what's the meaning and how to fine tune this.

Thanks for your help in advance

Tags (1)
0 Karma
1 Solution

adalbor
Builder

Def check the Anomali documentation for more information.

That being said the filter states that you only want active IOC's, confidence level greater than or equal to 90 (extremely confident the intel is correct), the ioc was created greater than 5 days ago, the IOC is not an IP associated with scanning activity, the IOC is not a compromised email address, and the IOC is not a malicious file hash.

Get with Anomali support to help you fine tune this. Its better to tune your IOC collection at the Anomali lvl.

View solution in original post

0 Karma

adalbor
Builder

Def check the Anomali documentation for more information.

That being said the filter states that you only want active IOC's, confidence level greater than or equal to 90 (extremely confident the intel is correct), the ioc was created greater than 5 days ago, the IOC is not an IP associated with scanning activity, the IOC is not a compromised email address, and the IOC is not a malicious file hash.

Get with Anomali support to help you fine tune this. Its better to tune your IOC collection at the Anomali lvl.

0 Karma

starcher
SplunkTrust
SplunkTrust

You should contact Anomali support.

0 Karma

smithahc1966
New Member

Yep. Anomali team is helping me out. Posted this question if someone could address before them.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...