In that blog post @rkovar_splunk mentions:
I’ve also started throwing some lookup files into a GitHub repo, which you can explore independently
And sure enough in that repo you'll find sunburstDOMAIN_lookup.csv where every Domain in this lookup has a column isBad set to the string TRUE.
As it stands, with the isBad field on this lookup being all set to the same sentinel value, means the query is a simple indication that a particular sunburst related domain was found in your stream data. And such a use case could even be written without the isBad column, by outputting the field being looked up when it is found like so:
index=main sourcetype=stream:*
| lookup sunburstDOMAIN_lookup Domain AS query OUTPUT Domain AS SunburstDomain
| where isnotnull(SunburstDomain)
| stats VALUES(query) AS "Sunburst" by src_ip
Having an isBad field makes it a bit more straightforward of a query.
But the isBad field can also help you enable some additional use cases... by enabling you to quantify Known OK entries separate from the Known Bad and the Unknown entries that don't show up in the lookup. This would help you drive the slightly different use cases to hunt down and verify the unknown, while keeping the use case of remediating the known bad.... Sure it might not be your use case in this case, or ever, but knowledge is power.
