Splunk Enterprise Security

getting wrong values in threat group and threat category in threat activity details in splunk enterprise security

Path Finder

Hi Splunkers,

I am seeing some junk values in Threat activity details report from Splunk enterprise security, FYI please have a look at the below values
threat_collection threat_group threat_category
"ip_intel
ip_intel" undefined undefined
"ip_intel
ip_intel" undefined undefined
ip_intel DSW_Attacker_DB threatlist
"ip_intel
ip_intel" undefined undefined
ip_intel DSW_Attacker_DB threatlist
"ip_intel
ip_intel" undefined undefined
"ip_intel
ip_intel" undefined undefined
"ip_intel
ip_intel" undefined undefined
"ip_intel
ip_intel" undefined undefined
"ip_intel
ip_intel" undefined undefined

please help me, I would like to know the reason why I am seeing undefined values.

Thanks in advance.

0 Karma

Path Finder

Hi,

I found the problem, and the problem is there are source_ids D:\opt\splunk\etc\apps\DA-ESS-ThreatIntelligence\default\data\threat_intel\Appendix_D_FQDNs.xml and source_type = stix.

The above package is from mandiant and its not getting update in timely fashion and it has come with enterprise security by default. I would like to know how can I schedule them so that I can get latest reports.

0 Karma

Splunk Employee
Splunk Employee

That would mostly be because those values are undefined. If you look at some examples in your SA-ThreatIntelligence/default/inputs.conf you'll see there are a couple of things to check out. The "type" in this case is dictating the value for "threat category". With regards to the threat group - that's going to typically be the value in the stanza header.
Example:
[threatlist://UniqueInputName]
description = Threat Intel for IPs
extract_regex = ,(\S+)\,(\w+)\,[a-zA-Z].\,
fields = ip:$1,description:$2
ignore_regex = (^#|^\s
$|^ThreatbaseID)
interval = 43200
retries = 3
retry_interval = 60
skip_header_lines = 0
timeout = 30
type = PopulatesThreatCategory
url = https://myintelsource/coolintel.txt
weight = 1
delim_regex =
disabled = 0

0 Karma