Hi, I have looked at Threat match "src" under Threat Intelligence Manager. In the configuration the datamodel DNS Resolution is enabled and the match field is DNS.query. However, in the generated SPL i find these to lines: | eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field')
| eval "threat_match_value"=if(isnull('threat_match_value'),'DNS.query','threat_match_value') This will change the threat_match_field to src, but I would have thought it should be "query"? And this will make a wrong description in the Threat Activity use case when the fields are populated. Is this a fault, have anyone else noticed this?
... View more