Solved: What happens to weight of duplicate imported Threa...

rookiemonster · ‎10-13-2022

When I import a Threat Intelligence source that contains an IP address e.g. 1.2.3.4 with weight=60, then another source imports the same IP 1.2.3.4 with weight=100 what happens to the weight?

x

rookiemonster · ‎11-30-2022

Hello,

If two Threat Intel Feeds contain the same Object e.g. the IP range 111.221.57.0/24 then the Threat Artefacts Dashboard will recognise this and show the threat_group is multiple sources (screenshots below shows it lists the names in blue)

When Threat Matching queries run, duplicate events will be logged in threat_activity index, one for each threat_group that contains the object.

NOTE: the "Threat Activity Detected" out of the box correlation search dedup's irrespective of weight, so you may want to sort by weight before dedup 🙂

View solution in original post

rookiemonster · ‎11-30-2022

Hello,

If two Threat Intel Feeds contain the same Object e.g. the IP range 111.221.57.0/24 then the Threat Artefacts Dashboard will recognise this and show the threat_group is multiple sources (screenshots below shows it lists the names in blue)

When Threat Matching queries run, duplicate events will be logged in threat_activity index, one for each threat_group that contains the object.

NOTE: the "Threat Activity Detected" out of the box correlation search dedup's irrespective of weight, so you may want to sort by weight before dedup 🙂

What happens to weight of duplicate imported Threat Intelligence artifacts?

other

3 Ways to Make OpenTelemetry Even Better

What's New in Splunk Cloud Platform 9.2.2406?

Enterprise Security Content Update (ESCU) | New Releases