Splunk Enterprise Security

Threat_Intelligence.Threat_Activity- How can I configure these fields "orig_sourcetype" ?

Cayplos
Engager

Hi,

I use Splunk Enterprise Security with Threat Intelligence framework.

Splunk creates many notables 'Threat Activity Detected' but I'd like to add/remove/edit source types.

I have only events with field "orig_sourcetype="apache:access" now. For example I tried add events from firewalls and compare source with suspicious IPs.

How can I configure these fields "orig_sourcetype" in Threat Intelligence data model ?

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Cayplos,

it isn't an immediate activity:

you have to understand which Data Model is used by the Correlation Search,

then you have to see the tags that are used to populate this Data Model,

then you have to see how your additional logs are parsed, are you using a CIM4.x compliant Add-On,?probably not because they are, by default, normalized and tagged in the correct way to load events in the Data Model.

If you're using a custom Add-On you have to normalize it using e.g. the App Builder App.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...