Is it possible to set up retrospective searches ba...

dm1 · ‎09-25-2022

As the title says, I am looking to setup retrospective searches based on new threat intelligence indicators in ES.

Is it possible ? if yes, can someone please suggest the best way to do this ?

chaker · ‎09-26-2022

This is possible, but I have not done it before. I can point you in the right direction.

Be sure you have read and understood the ES Threat Intel framework:
https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/threatintelligenceframework

Go to this URL in your ES environment. These are the threat match specifications. Do not modify these, the only field you are interested in is the "Threat matching search specification". You will use this value in your own input.
en-US/manager/SplunkEnterpriseSecuritySuite/data/inputs/threatmatch

On that same page, click the "New" button. Paste the search specification into the provided field, and set the earliest time and latest time to suit your requirement for retrospective searches" Make sure you tick "More Settings", as you will need to set the index for the threat events to be written to.

Keep in mind the max age of your threat intel and relevance to the age of your data you are comparing with.

Hope this helps.

dm1 · ‎09-26-2022

Thanks @chaker for giving such a valuable suggestion. I will definitely give a try and update on it's outcome.

Is it possible to set up retrospective searches based on new threat intelligence indicators in ES?

using Enterprise Security

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!