Splunk Enterprise Security

How to create a correlation search from a threat intelligence feed?

jamesatwork703
Engager

Other than the documentation I've read on the actual Splunk website, is there anything out there or does anybody have any information on how to create a correlation search based on threat intel feeds? So if I wanted to take malicious IPs that the threat intel feed provides and compare them against logs/traffic we see in Splunk and create an alert...how do I do that?

Thanks.

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

Are you looking to leverage the existing threat activity detected correlation search but use an additional data source or are you looking to create a separate set of content? There is no reason you couldn't use the pre-built content to gather, prep, de-duplicate the data and use the existing correlation search with a 3rd party threat feed. At the same time, if you want to have different notable events for this particular threat feed, you could likely take the existing threat activity detected correlation search and perhaps modify it slightly to accommodate this particular threat feed.

0 Karma

jamesatwork703
Engager

Thank you for the information!

So my goal is to match the information (IP, domain, email address) we're getting from the threat intel feeds with the data coming from our network/environment and configure alerts when a certain match or threshold has been reached. For example, one of our internal nodes reaching out/communicating with a known malicious IP or domain. It would be useful to set this alert to either go off at first sight of communication or track/alert on trending activity to these malicious places/people. I'm new to Splunk and don't have the resources to get proper training so I'm doing the best I can.

Thank you for your help!

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

What you described is what the threat intelligence framework in Enterprise Security is designed to do. The framework will collect this data and deduplicate and apply a data model to the data so there is some background work we do on the threat intel, but then we are able to use a single correlation search to associate ip, urls, file hashes, etc to the events that are being collected and then give you a way to look at the data both historically or in the present.

If you don't want to use the threat intel framework, you can always load threat intel into a lookup and then write a search that matches the value of a specific kind of log to the watchlist and then triggering an alert on the hits you get, either scheduled or in real time.

The goal of the threat framework inside of ES is that it provides a means of doing this in a vendor agnostic manner leveraging data models.

0 Karma

jamesatwork703
Engager

Okay, that's kind of what I hoped. I think the main problem is, I don't know how to use it properly yet and need to make more sense out of it. I've seen the short videos Splunk has on the Threat Intelligence stuff, but do you know of any training materials that are more comprehensive?

Thanks for your help btw.

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

If you are doing a lookup without the threat framework, the search and reporting classes that cover lookups will help on that. For the threat framework, I am not aware of a set of training materials to point you to aside from the docs.

This page is fairly robust in terms of threat intel coverage and how the data is consumed: http://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists

Hope this helps.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...