Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to set up retrospective searches based on new threat intelligence indicators in ES?

dm1
Contributor
‎09-25-2022 08:38 PM

As the title says, I am looking to setup retrospective searches based on new threat intelligence indicators in ES.

Is it possible ? if yes, can someone please suggest the best way to do this ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

chaker
Contributor
‎09-26-2022 12:34 AM

Hi @dm1 

This is possible, but I have not done it before. I can point you in the right direction.

Be sure you have read and understood the ES Threat Intel framework:
https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/threatintelligenceframework

Go to this URL in your ES environment. These are the threat match specifications. Do not modify these, the only field you are interested in is the "Threat matching search specification". You will use this value in your own input.
en-US/manager/SplunkEnterpriseSecuritySuite/data/inputs/threatmatch

On that same page, click the "New" button. Paste the search specification into the provided field, and set the earliest time and latest time to suit your requirement for retrospective searches" Make sure you tick "More Settings", as you will need to set the index for the threat events to be written to.

 

Keep in mind the max age of your threat intel and relevance to the age of your data you are comparing with.

Hope this helps.

Reply

dm1
Contributor
‎09-26-2022 08:39 PM

Thanks @chaker for giving such a valuable suggestion. I will definitely give a try and update on it's outcome.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...