Splunk Cloud

Threat intelligence feeds

iherb_0718
Path Finder

I am subscribed to a 3rd party threat intelligence called Threatconnect.  I have the Threatconnect app for splunk installed on my search head. 

My question is in regards to tuning as I have done very little to none. Should I expect that the threat intelligence that is streaming in is being ran against the events in my environment automatically? Assuming the threat intelligence is CIM compliant, should I expect that my Enterprise Security will make a notable event if there is a match?

 

 

 

 

Labels (1)
0 Karma
1 Solution

scelikok
Champion

Hi @iherb_0718,

Threatconnect app is  designed to be able to work without ES, but also support feeding ES Threat Intelligence sources. If you setup ES to ingest these data, you will start getting notables.

You can also setup searches to be alerted but since you already have ES, you can choose best suitable method.

You can find information about ingesting threat intelligence data to ES, or setting up searches against your events.

 https://training.threatconnect.com/learn/article/threatconnect-application-for-splunk-user-guide-kb-...

 

If this reply helps you, an upvote is appreciated.

If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

scelikok
Champion

Hi @iherb_0718,

Threatconnect app is  designed to be able to work without ES, but also support feeding ES Threat Intelligence sources. If you setup ES to ingest these data, you will start getting notables.

You can also setup searches to be alerted but since you already have ES, you can choose best suitable method.

You can find information about ingesting threat intelligence data to ES, or setting up searches against your events.

 https://training.threatconnect.com/learn/article/threatconnect-application-for-splunk-user-guide-kb-...

 

If this reply helps you, an upvote is appreciated.

If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!