I have looked at Threat match "src" under Threat Intelligence Manager.
In the configuration the datamodel DNS Resolution is enabled and the match field is DNS.query.
However, in the generated SPL i find these to lines:
| eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field')
| eval "threat_match_value"=if(isnull('threat_match_value'),'DNS.query','threat_match_value')
This will change the threat_match_field to src, but I would have thought it should be "query"?
And this will make a wrong description in the Threat Activity use case when the fields are populated.
Is this a fault, have anyone else noticed this?