How to correlate Splunk alerts with Indicators Of Compromise (IOC)?

New Member

Based on the following Splunk Alert I am trying to trace back to an IOC.

rt=Jul 18 2018 02:47:29 UTC dvchost=fireeye-a12bc3 categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=AbCDEfG12hijklMnopQ
dst=12.345.67.890 dmac=12-3a-45-67-bc-8d dhost=WIN-12AB3c4DE5F dntdom=WORKGROUP deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Jul 18 2018 02:47:28 UTC cs2Label=FireEye Agent Version cs2=26.21.10 
cs5Label=Target GMT Offset cs5=PT0H cs6Label=Target OS cs6=Windows Server 2012 R2 Standard 9600 externalId=34 start=Jul 18 2018 02:46:58 UTC categoryOutcome=/Success categorySignificance=/Compromise 
categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=exc act=Detection IOC Hit msg=Host WIN-12AB3c4DE5F IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise 
indication. cs4Label=IOC Name cs4=FIREEYE END2

The goal is to gather as much information from the Splunk alert, (IOC's ids/URL/Domain Name etc) and send it to Swimlane and have it available to pull any additional data necessary from FireEye.

0 Karma