Solved: How to use a certain field as IP to correlate with...

andresito123 · ‎04-03-2016

I have included in my installation Sophos Virtual Email Appliance logs. The logs include the originating IP with field name "fur". Is there any way to map it as IP in order to get correlated with Enterprise Security app threat intelligence sources (e.g. if this IP is flagged by enterprise security, etc.)?

Thanks!

MuS · ‎04-03-2016

Hi andresito123,

You're not looking for map (this is a search command which should be only used as some sort of last resort).
You're looking for a field alias http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Abouttagsandaliases

By using an alias of IP for fur you will able to use it in Enterprise Security.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎04-03-2016

Hi andresito123,

You're not looking for map (this is a search command which should be only used as some sort of last resort).
You're looking for a field alias http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Abouttagsandaliases

By using an alias of IP for fur you will able to use it in Enterprise Security.

Hope this helps ...

cheers, MuS

andresito123 · ‎04-04-2016

After this field alias, is there any extra work to be performed on the Enterprise security app?

MuS · ‎04-04-2016

Take a look at the docs about the CIM http://docs.splunk.com/Documentation/CIM/4.4.0/User/NetworkTraffic and find the matching field name for your fur and ES will pick it up on its own.

cheers, MuS

How to use a certain field as IP to correlate with Splunk Enterprise Security threat intelligence sources?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation