Security

What happens to weight of duplicate imported Threat Intelligence artifacts?

rookiemonster
Splunk Employee
Splunk Employee

When I import a Threat Intelligence source that contains an IP address e.g. 1.2.3.4 with weight=60, then another source imports the same IP 1.2.3.4 with weight=100 what happens to the weight?

x

0 Karma
1 Solution

rookiemonster
Splunk Employee
Splunk Employee

Hello,

If two Threat Intel Feeds contain the same Object e.g. the IP range 111.221.57.0/24 then the Threat Artefacts Dashboard will recognise this and show the threat_group is multiple sources (screenshots below shows it lists the names in blue)

rookiemonster_2-1669815471423.png

When Threat Matching queries run, duplicate events will be logged in threat_activity index, one for each threat_group that contains the object.

NOTE: the "Threat Activity Detected" out of the box correlation search dedup's irrespective of weight, so you may want to sort by weight before dedup 🙂

View solution in original post

0 Karma

rookiemonster
Splunk Employee
Splunk Employee

Hello,

If two Threat Intel Feeds contain the same Object e.g. the IP range 111.221.57.0/24 then the Threat Artefacts Dashboard will recognise this and show the threat_group is multiple sources (screenshots below shows it lists the names in blue)

rookiemonster_2-1669815471423.png

When Threat Matching queries run, duplicate events will be logged in threat_activity index, one for each threat_group that contains the object.

NOTE: the "Threat Activity Detected" out of the box correlation search dedup's irrespective of weight, so you may want to sort by weight before dedup 🙂

0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...