We have an indicator of a phishing source from email headers - a PC name. We need to add it to a Threat Intel collection for ES.
I did not find an appropriate one to use. Should we create a custom list or would any of the pre-existing ollections work with it?
This PC name contains a domain or any related information? If so, maybe the "ip_intel" would fit your use case.
Also, in case you have not seen it yet, these are the supported types of threat intel in Enterprise Security: https://docs.splunk.com/Documentation/ES/6.1.1/Admin/Supportedthreatinteltypes
In my opinion, the only attention point in case you create a custom list is to validate if your active correlation searches and Threat Activity generating searches will be able to use this custom list.
One other option is to have this PC name in a IOC lookup file and create a custom search for correlating the lookup and your log sources.
thank you for reply.
This is just a local name without any domain.
To be honest I did not examine all correlation searches on methods them correlate with intel tables, hence my question was brought up.
Also I'm in doubt it can compare lists with untypical field (not src, ip, user or other CIM-described field) .
So the idea with custom search that will parse data for a equality looks more appropriate to me as well.
Sure, if you want to take a further look on the Threat Activity rule works on Splunk ES, search for the Saved Searches ending with "Threat Gen", on the DA-ESS-ThreatIntelligence context.
I guess you would even be able to create a Threat Gen search for your custom list, but maybe a simplified approach would be better and faster, such as the lookup file for matching your logs.