Enterprise Security: What are the extraction field...

danielbb · ‎09-19-2019

We wonder what the identity, Asset, File and URL Extraction fields are in the Notable set-up of the correlation search.

DavidHourani · ‎02-07-2024

File and URL

These correspond to the artifact creation flow on the investigation workbench. Instead of creating a file or URL artifact on the workbench by hand, you can specify which fields should be used to create artifacts automatically when you add a notable to the investigation workbench.

More details here:

https://docs.splunk.com/Documentation/ES/latest/Admin/Customizeinvestigations#Set_up_artifact_extrac...

couilda · ‎11-10-2020

If the Identity and Asset extraction features pull their information from the assets/identities lookup tables where does the File and URL extraction features pull their information from?

richgalloway · ‎09-19-2019

Those fields are where you tell the Notable where to find fields of each type. That is, the fields it should use for Identity information are 'src_user', and 'user'; the fields containing Asset information are 'src', 'dest', 'dvc', and 'orig_host'; and so on.

---
If this reply helps you, Karma would be appreciated.

Enterprise Security: What are the extraction fields?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...