cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
XavG
Engager
Member since: ‎06-15-2022
‎06-28-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 4
Member Since ‎06-15-2022
View All

Threat activity - Errors in correlation search rel...

by in Splunk Enterprise Security
‎06-15-2022 05:52 AM
2 Karma
‎06-15-2022 05:52 AM
2 Karma
Hi,   I'm wondering if there isn't an issue with the correlation search that comes with Splunk ES "Threat activity detected".  Indeed, my problem come from the fact that when it's triggered then I have at least 2 other alerts concerning the "24h thresold risk score" (RBA).    I have taken the original correlation search (at least I think it is)  | from datamodel:"Threat_Intelligence"."Threat_Activity" | dedup threat_match_field,threat_match_value | `get_event_id` | table _raw,event_id,source,src,dest,src_user,user,threat*,weight | rename weight as record_weight | `per_panel_filter("ppf_threat_activity","threat_match_field,threat_match_value")` | `get_threat_attribution(threat_key)` | rename source_* as threat_source_*,description as threat_description | fields - *time | eval risk_score=case(isnum(record_weight), record_weight, isnum(weight) AND weight=1, 60, isnum(weight), weight, 1=1, null()), risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()), risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value), risk_network=if(threat_match_field IN("http_user_agent", "url") OR threat_match_field LIKE "certificate_%",null(),threat_match_value), risk_host=if(threat_match_field IN("file_name", "process", "service") OR threat_match_field LIKE "registry_%",null(),threat_match_value), risk_other=if(threat_match_field IN("query", "answer", "src", "dest", "src_user", "user", "file_hash", "http_user_agent", "url", "file_name", "process", "service") OR threat_match_field LIKE "certificate_%" OR threat_match_field LIKE "registry_%",null(),threat_match_value)  And notice that the mechanism to select which type of risk category is concerned is changing after the first line.    1.  Risk_system  risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()), If I translate : If the threat_match_field is "query or "answer" then the risk category is system and risk_system="IOC that matched" In this case this is a domain or URL (because it's a DNS query or answer) --> THIS LINE IS GOOD 2. Risk_hash risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value), But in the case of hash, if I translate : If the threat_match_field is "file_hash" then the risk category is NOT hash and risk_hash="null" --> THIS LINE IS WRONG Then it is the same for all other category : network, host, other   So in my opinion the values in the if statement were reversed.  risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value), shoud be  risk_hash=if(threat_match_field IN("file_hash"),threat_match_value, null()),   Is it me ? My instance ? or what ? Thanks in advance Xavier ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-28-2022 09:44 AM
Karma from
View All