Splunk Enterprise Security

Threat Intelligence Management - Wrong threat match field?

torstein1
Explorer

Hi,

I have looked at Threat match "src" under Threat Intelligence Manager.

In the configuration the datamodel DNS Resolution is enabled and the match field is DNS.query.

However, in the generated SPL i find these to lines:

 

| eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') 
| eval "threat_match_value"=if(isnull('threat_match_value'),'DNS.query','threat_match_value')

 


This will change the threat_match_field to src, but I would have thought it should be "query"?

And this will make a wrong description in the Threat Activity use case when the fields are populated.

Is this a fault, have anyone else noticed this?

Get Updates on the Splunk Community!

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...