Splunk Enterprise Security

Threat_Intelligence.Threat_Activity- How can I configure these fields "orig_sourcetype" ?

Cayplos
Engager

Hi,

I use Splunk Enterprise Security with Threat Intelligence framework.

Splunk creates many notables 'Threat Activity Detected' but I'd like to add/remove/edit source types.

I have only events with field "orig_sourcetype="apache:access" now. For example I tried add events from firewalls and compare source with suspicious IPs.

How can I configure these fields "orig_sourcetype" in Threat Intelligence data model ?

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Cayplos,

it isn't an immediate activity:

you have to understand which Data Model is used by the Correlation Search,

then you have to see the tags that are used to populate this Data Model,

then you have to see how your additional logs are parsed, are you using a CIM4.x compliant Add-On,?probably not because they are, by default, normalized and tagged in the correct way to load events in the Data Model.

If you're using a custom Add-On you have to normalize it using e.g. the App Builder App.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...