topic How to correlate Splunk alerts with Indicators Of Compromise (IOC)? in Alerting https://community.splunk.com/t5/Alerting/How-to-correlate-Splunk-alerts-with-Indicators-Of-Compromise-IOC/m-p/459834#M8146 <P>Based on the following Splunk Alert I am trying to trace back to an IOC. </P> <PRE><CODE>rt=Jul 18 2018 02:47:29 UTC dvchost=fireeye-a12bc3 categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=AbCDEfG12hijklMnopQ dst=12.345.67.890 dmac=12-3a-45-67-bc-8d dhost=WIN-12AB3c4DE5F dntdom=WORKGROUP deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Jul 18 2018 02:47:28 UTC cs2Label=FireEye Agent Version cs2=26.21.10 cs5Label=Target GMT Offset cs5=PT0H cs6Label=Target OS cs6=Windows Server 2012 R2 Standard 9600 externalId=34 start=Jul 18 2018 02:46:58 UTC categoryOutcome=/Success categorySignificance=/Compromise categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=exc act=Detection IOC Hit msg=Host WIN-12AB3c4DE5F IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise indication. cs4Label=IOC Name cs4=FIREEYE END2 </CODE></PRE> <P>The goal is to gather as much information from the Splunk alert, (IOC's ids/URL/Domain Name etc) and send it to Swimlane and have it available to pull any additional data necessary from FireEye. </P> Wed, 25 Jul 2018 19:42:40 GMT djbcvp 2018-07-25T19:42:40Z How to correlate Splunk alerts with Indicators Of Compromise (IOC)? https://community.splunk.com/t5/Alerting/How-to-correlate-Splunk-alerts-with-Indicators-Of-Compromise-IOC/m-p/459834#M8146 <P>Based on the following Splunk Alert I am trying to trace back to an IOC. </P> <PRE><CODE>rt=Jul 18 2018 02:47:29 UTC dvchost=fireeye-a12bc3 categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=AbCDEfG12hijklMnopQ dst=12.345.67.890 dmac=12-3a-45-67-bc-8d dhost=WIN-12AB3c4DE5F dntdom=WORKGROUP deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Jul 18 2018 02:47:28 UTC cs2Label=FireEye Agent Version cs2=26.21.10 cs5Label=Target GMT Offset cs5=PT0H cs6Label=Target OS cs6=Windows Server 2012 R2 Standard 9600 externalId=34 start=Jul 18 2018 02:46:58 UTC categoryOutcome=/Success categorySignificance=/Compromise categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=exc act=Detection IOC Hit msg=Host WIN-12AB3c4DE5F IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise indication. cs4Label=IOC Name cs4=FIREEYE END2 </CODE></PRE> <P>The goal is to gather as much information from the Splunk alert, (IOC's ids/URL/Domain Name etc) and send it to Swimlane and have it available to pull any additional data necessary from FireEye. </P> Wed, 25 Jul 2018 19:42:40 GMT https://community.splunk.com/t5/Alerting/How-to-correlate-Splunk-alerts-with-Indicators-Of-Compromise-IOC/m-p/459834#M8146 djbcvp 2018-07-25T19:42:40Z