We are trying to ingest a STIX file into the Threat Intelligence Management, the STIX parses, but does not find anything of interest in the file. the _internal index has the message 'status="No observables or indicators found in file"' The STIX file has the format below (which from what I can tell is a valid format, containing indicators       { "more": false, "objects": [ { "confidence": "70", "created": "2023-09-08T00:02:39.000Z", "description": "xxxxxxxxx", "id": "xxxxxxx", "modified": "2023-09-08T00:02:39.000Z", "name": "xxxxxxx", "pattern": "[ipv4-addr:value = '101.38.159.17']", "spec_version": "2.1", "type": "indicator", "valid_from": "2023-09-08T00:02:39.000Z", "valid_until": "2025-11-07T00:02:39.000Z" }, ......         Has anyone had any success with STIX files and be able to share the basic format of what worked for them?  Or anyone have anything other to suggest? Many thanks Simon   Splunk Enterprise Security  ... View more

Not sure I am missing something, but the Correlation Searches provided by ESCU are not consistent in their results. Some result is the user being indentified as in a field user_id, some in a field UserID This is inconsistent (which I could live with), but does not match up to the fields used (by default) to identify users within Enterprise Security - Incident Review. So I need to add them to the "Incident Review - Event Attributes".  In addition, if I am using Data Enrichment, then I also need to add to "Incident Review - Event Attributes" fields like UserID_email, UserID_bunit, UserID_category, etc.... If the ESCU could have their correlation search return a more "standard" set of fields as results, then it would make things work more "out of the box"   I appreciate that I might have missed something obvious, I and I hope I have - I value all replies ... View more

I have the following line in my splunk_metadata.csv to forward forcepoint proxy logs to the index called proxy_forcepoint. This worked when running the latest 1.x release. Post upgrade, some of the events still go into the index above (these have the sc4s_vendor_product field set to forcepoint), whereas other events are delivered to the lastchanceindex (these to not have a field sc4s_vendor_product) Looking in app-syslog-forcepoint_webprotect.conf (from the source from 2.29 source), Forcepoint messages are recognised by "vendor=Forcepoint" (which all messages have), and if Product is "Security" (which all messages have) - then the rewrite rule should set "product("webprotect")".    So I cannot see what is obviously wrong in the configuration or events, or how to investigate the events to set the line in splunk_metadata.csv  appropriately to get the routing to happen as I wish   All help appreciated ... View more

Running CIM 5.0 and was looking to do some reporting on users/groups added to security groups (information provided by the Windows Security Log event 4732 - but when I look in the Change datamodel, I cannot see the target group of the add in any of the fields. We are using out of the box Splunk_TA_windows, and Splunk Add-on for Microsoft Windows and I would have hoped that the data model would have been automatically filled with the relevant fields. Am I missing something obvious, or is there something I need to setup myself to get this working? Thanks Simon ... View more

We have lots of firewalls (both internal and internet facing) feeding into our CIM Network_Traffic Model within Enterprise Security. I would like to be able to distinguish the traffic that comes from the internet with other traffic. One way that occurred to be is to modify the CIM Network_Traffic model to have an extra "inheritance" (alongside Allowed_Traffic and Blocked_Traffic). Something line Internet_Traffic with the constraint specifying the appropriate dvc and src_interface values.  Is this a good idea? Would it break anything? How would it work w.r.t. update/upgrades to the CIM model? ... View more