Is there a list of Threat Object Types #37
-
|
I was looking for a typical list of Threat Object Types, it isn't a field that auto-populates suggestion like Risk Object does. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
I have not found a list in dev.splunk or docs, so i'm thinking most appropriate list that may help, because the purpose of this is to connect to Threat Intel in ES is to look at the list of ThreatIntel types supported in ES which are (from https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes): X509 Certificates Might even be able to use any of the supported fields in the intel lookups as types, if the purpose is to match against threat intel lookups. There isn't a lot about the mechanics of it in the docs. |
Beta Was this translation helpful? Give feedback.
-
|
Just a heads up, we are putting some specific work into setting and using threat objects efficiently and hope to present it at .conf 23 |
Beta Was this translation helpful? Give feedback.
I have not found a list in dev.splunk or docs, so i'm thinking most appropriate list that may help, because the purpose of this is to connect to Threat Intel in ES is to look at the list of ThreatIntel types supported in ES which are (from https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes):
X509 Certificates
Email
file_hash
file_name
url
ip address
domain
Processes
Registry entries
Services
Users
Might even be able to use any of the supported fields in the intel lookups as types, if the purpose is to match against threat intel lookups. There isn't a lot about the mechanics of it in the docs.