How do I test/check to see if my new "local" ES Th...

woodcock · ‎12-25-2024

I am using these dox:
https://docs.splunk.com/Documentation/ES/8.0.1/Admin/AddThreatIntelSources#Add_threat_intelligence_w...

It is pretty straightforward but I suspect that my configuraiton is not working. Where are the "master lookups" that Splunk's Threat Framework uses? I assume that there is 1 "master lookup" each for IPv4, domains, urls, hashes, etc. Or perhaps they are all combined into 1. There are about 100 lookups this client's ES and I have checked out the ones that look promising but didn't find my new data so I cannot conclude anything.

woodcock · ‎12-26-2024

I assume that this accepted answer is correct:
https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-use-the-threat-feed-I-added-using-...

So like this:

| `service_intel` 
| `process_intel` 
| `file_intel` 
| `registry_intel` 
| `user_intel` 
| `email_intel` 
| `certificate_intel` 
| `ip_intel`

meetmshah · ‎12-26-2024

Yes, search for "_intel" in Lookup Definition and you will see all Threat Intel Lookup along with definition -

All lookups from the specific categories gets combined / merged and used to Threat Matching. For example, everything related to IP will fall under ip_intel lookup.

Please hit Karma, if this helps!

How do I test/check to see if my new "local" ES ThreatFeed is working?

administration

configuration

Threat Intelligence Management

using Enterprise Security

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation