Other than the documentation I've read on the actual Splunk website, is there anything out there or does anybody have any information on how to create a correlation search based on threat intel feeds? So if I wanted to take malicious IPs that the threat intel feed provides and compare them against logs/traffic we see in Splunk and create an alert...how do I do that?
Are you looking to leverage the existing threat activity detected correlation search but use an additional data source or are you looking to create a separate set of content? There is no reason you couldn't use the pre-built content to gather, prep, de-duplicate the data and use the existing correlation search with a 3rd party threat feed. At the same time, if you want to have different notable events for this particular threat feed, you could likely take the existing threat activity detected correlation search and perhaps modify it slightly to accommodate this particular threat feed.
Thank you for the information!
So my goal is to match the information (IP, domain, email address) we're getting from the threat intel feeds with the data coming from our network/environment and configure alerts when a certain match or threshold has been reached. For example, one of our internal nodes reaching out/communicating with a known malicious IP or domain. It would be useful to set this alert to either go off at first sight of communication or track/alert on trending activity to these malicious places/people. I'm new to Splunk and don't have the resources to get proper training so I'm doing the best I can.
Thank you for your help!
What you described is what the threat intelligence framework in Enterprise Security is designed to do. The framework will collect this data and deduplicate and apply a data model to the data so there is some background work we do on the threat intel, but then we are able to use a single correlation search to associate ip, urls, file hashes, etc to the events that are being collected and then give you a way to look at the data both historically or in the present.
If you don't want to use the threat intel framework, you can always load threat intel into a lookup and then write a search that matches the value of a specific kind of log to the watchlist and then triggering an alert on the hits you get, either scheduled or in real time.
The goal of the threat framework inside of ES is that it provides a means of doing this in a vendor agnostic manner leveraging data models.
Okay, that's kind of what I hoped. I think the main problem is, I don't know how to use it properly yet and need to make more sense out of it. I've seen the short videos Splunk has on the Threat Intelligence stuff, but do you know of any training materials that are more comprehensive?
Thanks for your help btw.
If you are doing a lookup without the threat framework, the search and reporting classes that cover lookups will help on that. For the threat framework, I am not aware of a set of training materials to point you to aside from the docs.
This page is fairly robust in terms of threat intel coverage and how the data is consumed: http://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists
Hope this helps.