Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to correlate Splunk alerts with Indicators Of Compromise (IOC)?

djbcvp
New Member
‎07-25-2018 12:42 PM

Based on the following Splunk Alert I am trying to trace back to an IOC. 

rt=Jul 18 2018 02:47:29 UTC dvchost=fireeye-a12bc3 categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=AbCDEfG12hijklMnopQ
dst=12.345.67.890 dmac=12-3a-45-67-bc-8d dhost=WIN-12AB3c4DE5F dntdom=WORKGROUP deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Jul 18 2018 02:47:28 UTC cs2Label=FireEye Agent Version cs2=26.21.10 
cs5Label=Target GMT Offset cs5=PT0H cs6Label=Target OS cs6=Windows Server 2012 R2 Standard 9600 externalId=34 start=Jul 18 2018 02:46:58 UTC categoryOutcome=/Success categorySignificance=/Compromise 
categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=exc act=Detection IOC Hit msg=Host WIN-12AB3c4DE5F IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise 
indication. cs4Label=IOC Name cs4=FIREEYE END2

The goal is to gather as much information from the Splunk alert, (IOC's ids/URL/Domain Name etc) and send it to Swimlane and have it available to pull any additional data necessary from FireEye.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...