Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a correlation search based on data provided by SANS Threat Intelligence?

Kitag345
Explorer
‎02-17-2023 09:27 AM

 

Hello,

I would like to request guidance on how to create a correlation search based on data provided by SANS Threat Intelligence from https://isc.sans.edu/block.txt

The malicious IPs from "block.txt" are updated regularly. How can my correlation search track that change in real-time? What queries to use?

Notes: The SANS Threat Intel has already been enabled. 

 

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nyc_jason
Splunk Employee
Splunk Employee
‎02-17-2023 09:43 AM

consider using the PAVO Getwatchlist add-on, then you can do this:

nyc_jason_0-1676655724605.png

Or for performance, schedule the search every 30min, and pipe it to a lookup. then run your search using the lookup for matches.

View solution in original post

Reply
Solved! Jump to solution
Solution

nyc_jason
Splunk Employee
Splunk Employee
‎02-17-2023 09:43 AM

consider using the PAVO Getwatchlist add-on, then you can do this:

nyc_jason_0-1676655724605.png

Or for performance, schedule the search every 30min, and pipe it to a lookup. then run your search using the lookup for matches.

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top