Splunk has all of those threat intel lists for file, process, registry, ip, url, etc... And each list has a description field where I put the threat campaign info related to the IOC. I am wanting to extract that description into a new Threat_Activity.description (in the Threat Intelligence Data Model) field when it finds a match in the event logs. I have tried several tactics on my own altering the various Threat Gen searches but with no success. I know I can do searches with joins for workarounds and such. I also know that if I enter that info in the upload name it will show up in the Threat collection or Threat key field. But we often get a huge threatlist with several different campaigns and I would like to upload them all at the same time. This seems like a simple ask since this field is in every built in threat lookup. How can I get it to extract into a new field at match time?
... View more
I need help manually mapping a log source that has no supported add on. I entered in two event types with tags to ID which log is a failed login and which is a successful login. They are listed below.
Search: index=index sourcetype=logsource LoginSuccessful=0 Tags: authentication, failure
Search: index=index sourcetype=logsource LoginSuccessful=1 Tags: authentication, success
But in the Auth DM fields, it is showing every event as Authentication.is_Failed_Authentication and every event as Authentication.is_Successful_Authentication. Can someone send me the link to the right mapping doc in Splunk or describe what I am missing here. Do I need to enter a field alias as well?
... View more