As the title says, I am looking to setup retrospective searches based on new threat intelligence indicators in ES.
Is it possible ? if yes, can someone please suggest the best way to do this ?
Hi @dm1
This is possible, but I have not done it before. I can point you in the right direction.
Be sure you have read and understood the ES Threat Intel framework:
https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/threatintelligenceframework
Go to this URL in your ES environment. These are the threat match specifications. Do not modify these, the only field you are interested in is the "Threat matching search specification". You will use this value in your own input.
en-US/manager/SplunkEnterpriseSecuritySuite/data/inputs/threatmatch
On that same page, click the "New" button. Paste the search specification into the provided field, and set the earliest time and latest time to suit your requirement for retrospective searches" Make sure you tick "More Settings", as you will need to set the index for the threat events to be written to.
Keep in mind the max age of your threat intel and relevance to the age of your data you are comparing with.
Hope this helps.
Thanks @chaker for giving such a valuable suggestion. I will definitely give a try and update on it's outcome.