In the Threat Activity Detected IR correlation search, it calls for stuff from the "Threat Intelligence" Data Model. As an example, an IP has been found to be malicious, and it only reports on DNS logs within my environment. What do I need to do to the "IP Intel" Dataset to have it include logs from my firewall? Would I just need to add "index=checkpoint sourcetype=opsec" to the current base search for "IP Intel"? What I am trying to accomplish is to have the results not only show the DNS logs for that IP, but also include the firewall logs. This way I can have the alert only fire when it sees DNS and a connection outbound to that IP. Any help would be greatly appreciated.
Another example why I need to figure this out, are that any correlation searches that state "from datamodel" dealing with windows events are only giving me logs from one index, "winevent". I also have an index "dc_winevent" and one called "rc_winevent". Why are these not being searched\parsed out by the datasets? How do I add them?