In our Splunk Enterprise Incident review queue, I have a custom lookup that is being used for our threat intelligence feed.
| inputlookup local_ip_address_intel.csv
description, ip
listofbadmalwaredomains.com, 109.789.24.22
However, no matter how much I edit the Threat - Threat List Activity - Rule correlation search, I cannot extract a $description$ field, or it doesn't show up in the title of the event. I believe it is because the description field of the lookup is not being extracted.
Currently, the correlation search uses these variables for each threat incident title:
Threat Activity Detected ($threat_match_value$, $threat_source_id$, $threat_description$, $description$ )
The Title of each event contains something like:
Threat Activity Detected (109.789.24.22, local_ip_address_intel, Internal IP Address Intelligence, unknown )
How can I get the description column of my custom lookup to show up in our splunk incident review queue?
Thanks!
... View more