Splunk Enterprise Security

How can I get the description column of my custom lookup to show up in our Splunk Enterprise Security Incident Review queue?

aaronandshag
Explorer

In our Splunk Enterprise Incident review queue, I have a custom lookup that is being used for our threat intelligence feed.

| inputlookup local_ip_address_intel.csv
description, ip
listofbadmalwaredomains.com, 109.789.24.22

However, no matter how much I edit the Threat - Threat List Activity - Rule correlation search, I cannot extract a $description$ field, or it doesn't show up in the title of the event. I believe it is because the description field of the lookup is not being extracted.

Currently, the correlation search uses these variables for each threat incident title:
Threat Activity Detected ($threat_match_value$, $threat_source_id$, $threat_description$, $description$ )

The Title of each event contains something like:
Threat Activity Detected (109.789.24.22, local_ip_address_intel, Internal IP Address Intelligence, unknown )

How can I get the description column of my custom lookup to show up in our splunk incident review queue?

Thanks!

0 Karma

starcher
SplunkTrust
SplunkTrust

I'm pushing on the ES devs to fix this. Threat Intel docs list description as required but the ES intel processing tosses it and gives you the description of the input. If you are careful you can manually patch several macros and searches to get threat intel values to come through regardless of the original intel source input. I'd recommend others report this as a bug against ES via a support ticket if you want the change.

aaronandshag
Explorer

I figured it out...A year later.

Just append the following to the end of the Threat Activity Detected Correlation Search,

| join threat_match_value [| inputlookup local_domain_intel.csv | rename domain AS threat_match_value]

Then change your Notable Event Title to:

Threat Activity Detected $threat_match_value$ from: $description$
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...