Hi,
I use Splunk Enterprise Security with Threat Intelligence framework.
Splunk creates many notables 'Threat Activity Detected' but I'd like to add/remove/edit source types.
I have only events with field "orig_sourcetype="apache:access" now. For example I tried add events from firewalls and compare source with suspicious IPs.
How can I configure these fields "orig_sourcetype" in Threat Intelligence data model ?
... View more