Splunk Enterprise Security

Question about improvments regarding IoC in Threat Intel collection

d4wc3k
Path Finder

Hello All on Forum

I have following problem with threat intel in Splunk ES.
I have got IoC, which is IP address and it has been placed in ip_intel.
This triggered alert where ioc IP reached some my external IP on 80 dst port ( It looks like someone accessed my company web-page)
Based on description of malware associated with IoC, It's not threat, risky situation should be in other direction, when my machine tried reach url with this IP.
My question is:
Should I move IP to http_intel collection when I am aware of context ?

I would like ask you also about good practices regarding organizing threat_intel collections.
Should I create more correlation searches, which will cover particular threat or just use one for threat_intel things?

Thanks a lot ans sorry for bad English.
BR
Dawid

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...