Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to correlate Splunk alerts with Indicators Of Compromise (IOC)?

djbcvp
New Member
‎07-25-2018 12:42 PM

Based on the following Splunk Alert I am trying to trace back to an IOC. 

rt=Jul 18 2018 02:47:29 UTC dvchost=fireeye-a12bc3 categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=AbCDEfG12hijklMnopQ
dst=12.345.67.890 dmac=12-3a-45-67-bc-8d dhost=WIN-12AB3c4DE5F dntdom=WORKGROUP deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Jul 18 2018 02:47:28 UTC cs2Label=FireEye Agent Version cs2=26.21.10 
cs5Label=Target GMT Offset cs5=PT0H cs6Label=Target OS cs6=Windows Server 2012 R2 Standard 9600 externalId=34 start=Jul 18 2018 02:46:58 UTC categoryOutcome=/Success categorySignificance=/Compromise 
categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=exc act=Detection IOC Hit msg=Host WIN-12AB3c4DE5F IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise 
indication. cs4Label=IOC Name cs4=FIREEYE END2

The goal is to gather as much information from the Splunk alert, (IOC's ids/URL/Domain Name etc) and send it to Swimlane and have it available to pull any additional data necessary from FireEye.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...