As the title suggests, I have some general questions regarding the threat list activity dashboard.
Q1: Where does it get input from?
Q2: Does it use a database? if so, what are they?
Q3: How does it correlate data?
any other detailed information (scenarios..etc) about this dashboard are appreciated
I apologize beforehand if my questions sound very basic. I'm just a beginner who's trying to get a better understanding of splunk's workings, and the documentation provided for this specific dashboard is not enough in my opinion.
The threat lists input comes from various sources. You can view or modify them from Configure / Data enrichment / Threats lists.
It is based on lookups (try | inputlookup threatlistlookupby_cidr for example), so stored in files (all sources are merged in one or several lookups), and for the correlation, it is based on lookup functions.