Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Checking against a known threat intel IP

neerajs_81
Builder
‎10-25-2021 06:59 AM

Hello All,
I am a Newbie to ES and need some help on a basic use case of ES.    We are ingesting our firewall logs into  Splunk.  How can i setup a search to check connection attempts ( as in dest_ip) going to Malicious IPs/ CNC ip-addresses? 

index=cisco  eval connection = if (dest_ip=(From Threat_intel_List)) ,  generate an alert or show data in table format 

We don't want to rely on manually creating a lookup file and keep on manually updating it.

Tags (1)
0 Karma
Reply

ro_mc
Path Finder
‎10-30-2021 03:15 AM

Since you're new it's probably best to start with an overview at the link below, noting that the threat framework does the work in the background for you to generate notables for your security data:

https://www.youtube.com/watch?v=NJT-fE35eaY

Splunk allows you to trigger notable events based on threat intel information. Start by configuring the threat intel following the directions here:

https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Addthreatintel

Nearly every threat intel source will reference the EICAR test file, so I would recommend downloading that after setting up the threat intel to verify that the notable fires correctly.

https://www.eicar.org/?page_id=3950

Even if you planned on creating your own lookups, these could be integrated into ES as a new threat intel source to be managed and prioritised along with existing threat intel sources. It's definitely not a case of 'one or the other'

If you wanted to set up a custom search despite what ES provides, and you decided not to use guided mode for the correlation search, my recommendation would be to start with the "Network_Traffic" datamodel to search on the desired dataset, and progress to using tstats to form efficient searches. As long the datamodel references your index appropriately, you're good to go.

If you have everything configured, but don't seem to be getting the results you expect, please provide some additional detail on what you have configured, what tests you've performed, and what results you received.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...