Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What happens to weight of duplicate imported Threat Intelligence artifacts?

rookiemonster
Splunk Employee
Splunk Employee
‎10-13-2022 07:44 AM

When I import a Threat Intelligence source that contains an IP address e.g. 1.2.3.4 with weight=60, then another source imports the same IP 1.2.3.4 with weight=100 what happens to the weight?

x

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rookiemonster
Splunk Employee
Splunk Employee
‎11-30-2022 05:44 AM

Hello,

If two Threat Intel Feeds contain the same Object e.g. the IP range 111.221.57.0/24 then the Threat Artefacts Dashboard will recognise this and show the threat_group is multiple sources (screenshots below shows it lists the names in blue)

rookiemonster_2-1669815471423.png

When Threat Matching queries run, duplicate events will be logged in threat_activity index, one for each threat_group that contains the object.

NOTE: the "Threat Activity Detected" out of the box correlation search dedup's irrespective of weight, so you may want to sort by weight before dedup 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rookiemonster
Splunk Employee
Splunk Employee
‎11-30-2022 05:44 AM

Hello,

If two Threat Intel Feeds contain the same Object e.g. the IP range 111.221.57.0/24 then the Threat Artefacts Dashboard will recognise this and show the threat_group is multiple sources (screenshots below shows it lists the names in blue)

rookiemonster_2-1669815471423.png

When Threat Matching queries run, duplicate events will be logged in threat_activity index, one for each threat_group that contains the object.

NOTE: the "Threat Activity Detected" out of the box correlation search dedup's irrespective of weight, so you may want to sort by weight before dedup 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...