Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: How to correlate IOCs within a lookup file with web traffic captured by Splunk?

Hi,

I have a lookup file tracking IOCs from multiple sources. I'm looking for a way to take this list and ideally generate a notable event in Splunk Enterprise Security if ever web logs show that a user attempted to navigate to an IP or domain within the list. Now that we have this data we need to put it to use. Any suggestions?

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to correlate IOCs within a lookup file with web traffic captured by Splunk?

SplunkTrust
SplunkTrust

http://docs.splunk.com/Documentation/ES/4.6.0/User/Configureblocklists

See the section Upload a custom CSV file of threat intelligence

View solution in original post