Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract description into Threat Activity Object

gwes77
Explorer
‎04-03-2020 08:19 AM

Splunk has all of those threat intel lists for file, process, registry, ip, url, etc... And each list has a description field where I put the threat campaign info related to the IOC. I am wanting to extract that description into a new Threat_Activity.description (in the Threat Intelligence Data Model) field when it finds a match in the event logs. I have tried several tactics on my own altering the various Threat Gen searches but with no success. I know I can do searches with joins for workarounds and such. I also know that if I enter that info in the upload name it will show up in the Threat collection or Threat key field. But we often get a huge threatlist with several different campaigns and I would like to upload them all at the same time. This seems like a simple ask since this field is in every built in threat lookup. How can I get it to extract into a new field at match time?

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...