- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā05-15-2019 05:57 AM
Hello,
I'm currently looking to map domains being sent from Splunk to our SNOW environment so that they'll also show up in the observable table. While there are fields for hash and IP, I'm not seeing any that would line up with domain other than other_ioc. I haven't had any success using that as my mapping field though. Do I need to create a new value on the sn_si_incident table for domain or am I missing one below?
<xml>
<sn_si_incident>
<active/>
<activity_due/>
<additional_assignee_list/>
<affected_user/>
<approval/>
<approval_history/>
<approval_set/>
<asset/>
<assigned_to/>
<assigned_vendor/>
<assignment_group/>
<attack_vector/>
<automation_activity/>
<billable/>
<business_criticality/>
<business_duration/>
<business_service/>
<calendar_duration/>
<caller/>
<category/>
<change_request/>
<close_code/>
<close_notes/>
<closed_at/>
<closed_by/>
<cmdb_ci/>
<cmdb_ci_business_app/>
<comments/>
<comments_and_work_notes/>
<company/>
<contact_type/>
<correlation_display/>
<correlation_id/>
<delivery_plan/>
<delivery_task/>
<department/>
<description/>
<dest_ip/>
<due_date/>
<escalation/>
<estimated_end/>
<expected_end/>
<expected_start/>
<external_url/>
<follow_up/>
<group_list/>
<impact/>
<incident/>
<initiated_from/>
<is_catalog/>
<knowledge/>
<location/>
<made_sla/>
<malware_hash/>
<malware_url/>
<new_pir_respondents/>
<number/>
<opened_at/>
<order/>
<other_ioc/>
<parent/>
<parent_security_incident/>
<pir/>
<pir_respondents/>
<previous_agent/>
<priority/>
<problem/>
<qualification_group/>
<reassignment_count/>
<referrer_url/>
<rejection_goto/>
<request_category/>
<request_type/>
<requested_due_by/>
<risk/>
<risk_change/>
<risk_score/>
<risk_score_override/>
<secure_notes/>
<security_incident_self/>
<security_tags/>
<severity/>
<short_description/>
<skills/>
<sla_due/>
<sla_suspended/>
<sla_suspended_for/>
<sla_suspended_on/>
<sla_suspended_reason/>
<source_ip/>
<spam/>
<special_access_read/>
<special_access_write/>
<state/>
<subcategory/>
<substate/>
<sys_class_name/>
<sys_created_by/>
<sys_created_on/>
<sys_domain/>
<sys_domain_path/>
<sys_id/>
<sys_mod_count/>
<sys_updated_by/>
<sys_updated_on/>
<task_created/>
<template/>
<template_workflow_invoked/>
<time_worked/>
<u_action/>
<u_impacted_line_of_business/>
<u_incident_discovered/>
<u_incident_occurred/>
<u_sensitive>
<u_service/>
<u_splunk_threat_intel/>
<upon_approval/>
<upon_reject/>
<urgency/>
<user_input/>
<variables/>
<vendor_reference/>
<vulnerability/>
<watch_list/>
<wf_activity/>
<work_end/>
<work_notes/>
<work_notes_list/>
<work_start/>
</sn_si_incident>
</xml>
Thank you!
Solved! Go to Solution.
- Labels:
-
Security Incident Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā05-15-2019 07:30 AM
Hi Audrey,
This fields that you reference in the SIR schema (Source IP, Destination IP, Malware hash, Malware URL, Referrer URL and Other IoC) are mainly there for historical reasons. While you could use "Other IoC" for the domain, I would suggest you add it to the Observables related list (sn_ti_m2m_task_observable ). This table table is designed to handle most types of Observables/IoCs that you would find in an environment and there is some built-in automation around this related list. The good news is, there is a business rule (Handle Deprecated Observable Fields) that will copy the Observables from any of those fields into this related list. So, if you want, you can put the domain value in "Other IoC" and let the business rule do the rest.
Hope this helps,
s
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā05-15-2019 07:30 AM
Hi Audrey,
This fields that you reference in the SIR schema (Source IP, Destination IP, Malware hash, Malware URL, Referrer URL and Other IoC) are mainly there for historical reasons. While you could use "Other IoC" for the domain, I would suggest you add it to the Observables related list (sn_ti_m2m_task_observable ). This table table is designed to handle most types of Observables/IoCs that you would find in an environment and there is some built-in automation around this related list. The good news is, there is a business rule (Handle Deprecated Observable Fields) that will copy the Observables from any of those fields into this related list. So, if you want, you can put the domain value in "Other IoC" and let the business rule do the rest.
Hope this helps,
s
