Here is the scenario:
Currently we are using custom threat intelligence in Splunk Enterprise Security to download the CSV file (Threat Intelligence from internet) which gets downloaded in path C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\local\data\threat_intel\ filename.csv and gets updated every 1 hour.
Now we need to use this filename.csv (which is dynamic file as it get automatically updated).
Can I use this dynamic file as a lookup to compare with firewall IP (If yes what are the steps to use the path mentioned above), as we are developing our app for threat intelligence? Or are there other options we can use?
Thanks in advance 🙂
have you seen/followed this link http://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists
specifically the "Adding a custom source", choosing a ip type
and yes, you can use it as a lookup, in ES dashboard, ...
You could use the entire threat framework to do this. Make sure the threat intel download settings are correctly pulling into the ip_intel threat collection. The key is making sure the fields value is configured correctly. If I had a comma delimited file with description, ip the fields value might look like ip:$2 and the delimiter is ,
Once the data comes in cleanly to threat artifacts the lookup gen and threat gen will handle the data just like the built in threat intel and the data gets correlated with all logs not just firewall. Additional refinement could then be done to limit to just firewall.
There are other ways to solve it but this can leverage all the development that is already in place.