Hi,

I'm wondering if there isn't an issue with the correlation search that comes with Splunk ES "Threat activity detected". 

Indeed, my problem come from the fact that when it's triggered then I have at least 2 other alerts concerning the "24h thresold risk score" (RBA). 

I have taken the original correlation search (at least I think it is) 

| from datamodel:"Threat_Intelligence"."Threat_Activity" 
| dedup threat_match_field,threat_match_value 
| `get_event_id` 
| table _raw,event_id,source,src,dest,src_user,user,threat*,weight 
| rename weight as record_weight 
| `per_panel_filter("ppf_threat_activity","threat_match_field,threat_match_value")` 
| `get_threat_attribution(threat_key)` 
| rename source_* as threat_source_*,description as threat_description 
| fields - *time 
| eval 
risk_score=case(isnum(record_weight), record_weight, isnum(weight) AND weight=1, 60, isnum(weight), weight, 1=1, null()),
risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),
risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value),
risk_network=if(threat_match_field IN("http_user_agent", "url") OR threat_match_field LIKE "certificate_%",null(),threat_match_value),
risk_host=if(threat_match_field IN("file_name", "process", "service") OR threat_match_field LIKE "registry_%",null(),threat_match_value),
risk_other=if(threat_match_field IN("query", "answer", "src", "dest", "src_user", "user", "file_hash", "http_user_agent", "url", "file_name", "process", "service") OR threat_match_field LIKE "certificate_%" OR threat_match_field LIKE "registry_%",null(),threat_match_value)

 And notice that the mechanism to select which type of risk category is concerned is changing after the first line. 

1.  Risk_system 

risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),

If I translate : If the threat_match_field is "query or "answer" then the risk category is system and risk_system="IOC that matched"

In this case this is a domain or URL (because it's a DNS query or answer)

--> THIS LINE IS GOOD

2. Risk_hash

risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value),

But in the case of hash, if I translate : If the threat_match_field is "file_hash" then the risk category is NOT hash and risk_hash="null"

--> THIS LINE IS WRONG

Then it is the same for all other category : network, host, other

So in my opinion the values in the if statement were reversed. 

risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value),

shoud be 

risk_hash=if(threat_match_field IN("file_hash"),threat_match_value, null()),

Is it me ? My instance ? or what ?

Thanks in advance

Xavier