- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to add a PC name to a threat intel list for Sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add a PC name to a threat intel list for Splunk Enterprise Security?
Hi Splunkers,
We have an indicator of a phishing source from email headers - a PC name. We need to add it to a Threat Intel collection for ES.
I did not find an appropriate one to use. Should we create a custom list or would any of the pre-existing ollections work with it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This PC name contains a domain or any related information? If so, maybe the "ip_intel" would fit your use case.
Also, in case you have not seen it yet, these are the supported types of threat intel in Enterprise Security: https://docs.splunk.com/Documentation/ES/6.1.1/Admin/Supportedthreatinteltypes
In my opinion, the only attention point in case you create a custom list is to validate if your active correlation searches and Threat Activity generating searches will be able to use this custom list.
One other option is to have this PC name in a IOC lookup file and create a custom search for correlating the lookup and your log sources.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi alonsocaio,
thank you for reply.
This is just a local name without any domain.
To be honest I did not examine all correlation searches on methods them correlate with intel tables, hence my question was brought up.
Also I'm in doubt it can compare lists with untypical field (not src, ip, user or other CIM-described field) .
So the idea with custom search that will parse data for a equality looks more appropriate to me as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, if you want to take a further look on the Threat Activity rule works on Splunk ES, search for the Saved Searches ending with "Threat Gen", on the DA-ESS-ThreatIntelligence context.
I guess you would even be able to create a Threat Gen search for your custom list, but maybe a simplified approach would be better and faster, such as the lookup file for matching your logs.
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
