Solved: What happens to weight of duplicate imported Threa...

rookiemonster · ‎10-13-2022

When I import a Threat Intelligence source that contains an IP address e.g. 1.2.3.4 with weight=60, then another source imports the same IP 1.2.3.4 with weight=100 what happens to the weight?

x

rookiemonster · ‎11-30-2022

Hello,

If two Threat Intel Feeds contain the same Object e.g. the IP range 111.221.57.0/24 then the Threat Artefacts Dashboard will recognise this and show the threat_group is multiple sources (screenshots below shows it lists the names in blue)

When Threat Matching queries run, duplicate events will be logged in threat_activity index, one for each threat_group that contains the object.

NOTE: the "Threat Activity Detected" out of the box correlation search dedup's irrespective of weight, so you may want to sort by weight before dedup 🙂

View solution in original post

rookiemonster · ‎11-30-2022

Hello,

If two Threat Intel Feeds contain the same Object e.g. the IP range 111.221.57.0/24 then the Threat Artefacts Dashboard will recognise this and show the threat_group is multiple sources (screenshots below shows it lists the names in blue)

When Threat Matching queries run, duplicate events will be logged in threat_activity index, one for each threat_group that contains the object.

NOTE: the "Threat Activity Detected" out of the box correlation search dedup's irrespective of weight, so you may want to sort by weight before dedup 🙂

What happens to weight of duplicate imported Threat Intelligence artifacts?

Other

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation