Hi everybody.
Currently, we have a task which involve QRadar correlation rules translation to SPlunk ones.
The Splunk rules will be used in a Splunk Enterprise Security environment.
The big issue we are facing is the following: we got some elements in QRadar for what is not clear if we have a corresponding element in SPlunk. One of this is the event category: the QRadar definition of this element is the following one:
https://www.ibm.com/docs/en/qsip/7.4?topic=administration-event-categories
In a nutshell, this mechanism categorize the events in high level category which contains lover/more specific category. For example, we have the macro category Malware wich contains Backdor, Spyware and so on.
So, my question is: have we, in Splunk, a similar mechanis?
For example, in a QRadar rule I may have, between the filters, "when the event category for the event is one of the following: Potential Exploit.Potential Botnet Connection" ; how can I check this in SPlunk?
If there is not a mechanism to automatize this and we have to set this check manually, what could be the best way to got the category?
