Splunk Enterprise Security

Threat Intelligence Management - Wrong threat match field?

torstein1
Explorer

Hi,

I have looked at Threat match "src" under Threat Intelligence Manager.

In the configuration the datamodel DNS Resolution is enabled and the match field is DNS.query.

However, in the generated SPL i find these to lines:

 

| eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') 
| eval "threat_match_value"=if(isnull('threat_match_value'),'DNS.query','threat_match_value')

 


This will change the threat_match_field to src, but I would have thought it should be "query"?

And this will make a wrong description in the Threat Activity use case when the fields are populated.

Is this a fault, have anyone else noticed this?

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...