Actually this already is happening. If you look at the search "Threat - Source And Destination Matches - Threat Gen" this search is matching threat IPs to traffic on your network and is a building block for the datamodel and creates the sourcetype "stash." The search is only looking at "allowed" traffic.
Further the scheduled search is:
| `src_dest_tstats("allowed")` | `truncate_domain_dedup(src)` | `truncate_domain_dedup(dest)` | `threatintel_multilookup(src)` | `threatintel_multilookup(dest)` | search threat_collection_key=* | fields - count | `zipexpand_threat_matches` | fields sourcetype,src,dest,threat*,weight
One option is you could change the "allowed" to blocked. What this would result in is identifying potential high risk endpoints, that while blocked from communicating at this time might be a future indicator or source of compromise.
... View more