dashboard
WEEK_3 · DAY_21 · 1 HOUR
Threat Intel + Asset & Identity
Enrich every event with context — feeds, assets, identities
Learning Objectives
- ›Add a custom threat intel feed (IPs, domains, hashes)
- ›Build the Asset framework (CSV → ES)
- ›Build the Identity framework (HR + AD → ES)
- ›See urgency change automatically based on asset/identity priority
Module 1 — Threat Intel Framework
ES ships with default feeds; add custom CSV/STIX/TAXII via Configure → Data Enrichment → Threat Intelligence Management.
ES checks indexed events against TI KV stores every 5 min and fires Threat Match notables.
Module 2 — Asset Framework
CSV with: ip, hostname, owner, business_unit, category (PCI/HIPAA/PII), priority (low/medium/high/critical).
Drives urgency calculation. PCI host + medium rule = high notable.
Module 3 — Identity Framework
CSV with: user, email, title, manager, watchlist, priority.
Drives the same urgency boost — exec or admin user under attack escalates faster.
Module 4 — Pyramid of Pain Revisited
TI feeds catch the bottom (IPs, hashes). Asset/Identity catches the top (TTP × context).
Together, they make ES detections business-aware.
Lab 21 — Wire Asset & Identity
- Open Splunk ES → Configure → Data Enrichment.
- Imagine assets.csv (10 rows) and identities.csv (10 rows).
- Tag 2 hosts as priority=critical (PCI), 1 user as priority=critical (CFO).
- Predict: which Notable Events would now escalate to urgency=critical?
Key Takeaways
- ✓TI feeds catch IOCs; A&I catches business context
- ✓Same rule + critical asset = critical notable (automatically)
- ✓A&I is the highest-leverage admin work in ES