Hello All,
I am a Newbie to ES and need some help on a basic use case of ES. We are ingesting our firewall logs into Splunk. How can i setup a search to check connection attempts ( as in dest_ip) going to Malicious IPs/ CNC ip-addresses?
index=cisco eval connection = if (dest_ip=(From Threat_intel_List)) , generate an alert or show data in table format
We don't want to rely on manually creating a lookup file and keep on manually updating it.
Since you're new it's probably best to start with an overview at the link below, noting that the threat framework does the work in the background for you to generate notables for your security data:
https://www.youtube.com/watch?v=NJT-fE35eaY
Splunk allows you to trigger notable events based on threat intel information. Start by configuring the threat intel following the directions here:
https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Addthreatintel
Nearly every threat intel source will reference the EICAR test file, so I would recommend downloading that after setting up the threat intel to verify that the notable fires correctly.
https://www.eicar.org/?page_id=3950
Even if you planned on creating your own lookups, these could be integrated into ES as a new threat intel source to be managed and prioritised along with existing threat intel sources. It's definitely not a case of 'one or the other'
If you wanted to set up a custom search despite what ES provides, and you decided not to use guided mode for the correlation search, my recommendation would be to start with the "Network_Traffic" datamodel to search on the desired dataset, and progress to using tstats to form efficient searches. As long the datamodel references your index appropriately, you're good to go.
If you have everything configured, but don't seem to be getting the results you expect, please provide some additional detail on what you have configured, what tests you've performed, and what results you received.