Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to correlate Splunk alerts with Indicators Of Compromise (IOC)?

djbcvp
New Member
‎07-25-2018 12:42 PM

Based on the following Splunk Alert I am trying to trace back to an IOC. 

rt=Jul 18 2018 02:47:29 UTC dvchost=fireeye-a12bc3 categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=AbCDEfG12hijklMnopQ
dst=12.345.67.890 dmac=12-3a-45-67-bc-8d dhost=WIN-12AB3c4DE5F dntdom=WORKGROUP deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Jul 18 2018 02:47:28 UTC cs2Label=FireEye Agent Version cs2=26.21.10 
cs5Label=Target GMT Offset cs5=PT0H cs6Label=Target OS cs6=Windows Server 2012 R2 Standard 9600 externalId=34 start=Jul 18 2018 02:46:58 UTC categoryOutcome=/Success categorySignificance=/Compromise 
categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=exc act=Detection IOC Hit msg=Host WIN-12AB3c4DE5F IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise 
indication. cs4Label=IOC Name cs4=FIREEYE END2

The goal is to gather as much information from the Splunk alert, (IOC's ids/URL/Domain Name etc) and send it to Swimlane and have it available to pull any additional data necessary from FireEye.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...