Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In Splunk Enterprise Security, why is "weight" field missing in the Threat Intelligence datamodel?

marand
Explorer
‎09-29-2018 05:03 AM

The datamodel for Threat Intelligence is missing the weight field.

This breaks the built in Threat Activity Detected notable, that is based on the datamodel.

This renders the following lines without value in the correlation search

| eval risk_score=case(isnum(record_weight), record_weight, isnum(weight), weight, 1=1, null())

The workaround is either:

  • Not using the datamodel

  • Add the field in the datamodel

I don't think this has been a problem before, so I suspect the 7.x+ is broken in this regard.

Anyone that has any insight into this?

/Marc

0 Karma
Reply

jeff
Contributor
‎02-01-2021 08:36 AM

I'm looking at this too. As of ES 6.4.1 this is still seemingly the case.

Adding this immediately after the datamodel command in the correlation search extracts the weight field:

| rex field=_raw "weight=\"?(?<wt>[^\s,\"]+)" 
| eval weight=coalesce(weight,wt)

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...