Splunk Enterprise Security

Splunk Enterprise Security: How to correlate IOCs within a lookup file with web traffic captured by Splunk?

tyrone_osilesi7
Explorer

Hi,

I have a lookup file tracking IOCs from multiple sources. I'm looking for a way to take this list and ideally generate a notable event in Splunk Enterprise Security if ever web logs show that a user attempted to navigate to an IP or domain within the list. Now that we have this data we need to put it to use. Any suggestions?

0 Karma
1 Solution

starcher
Influencer

http://docs.splunk.com/Documentation/ES/4.6.0/User/Configureblocklists

See the section Upload a custom CSV file of threat intelligence

View solution in original post

starcher
Influencer

http://docs.splunk.com/Documentation/ES/4.6.0/User/Configureblocklists

See the section Upload a custom CSV file of threat intelligence

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...