Splunk Enterprise Security

Extract description into Threat Activity Object

gwes77
Explorer

Splunk has all of those threat intel lists for file, process, registry, ip, url, etc... And each list has a description field where I put the threat campaign info related to the IOC. I am wanting to extract that description into a new Threat_Activity.description (in the Threat Intelligence Data Model) field when it finds a match in the event logs. I have tried several tactics on my own altering the various Threat Gen searches but with no success. I know I can do searches with joins for workarounds and such. I also know that if I enter that info in the upload name it will show up in the Threat collection or Threat key field. But we often get a huge threatlist with several different campaigns and I would like to upload them all at the same time. This seems like a simple ask since this field is in every built in threat lookup. How can I get it to extract into a new field at match time?

Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...