Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

SIR Observables

Neil Mitchell
Tera Contributor

‎02-20-2020 09:13 AM

Hello,

I am trying to find a way to have the Observables tab/field be auto-populated with information that is imported into the Description field. As it stands, we get numerous alerts imported into SIRs with the Description field populated with a lot of information. What I am trying to do is get these IOC/observable information auto-populated into the Observables tab so workflows will get fired off.

Exploring this, I found that if I add information into the IOC Scratchpad tab, this will automatically populate the Observables tab, thus firing off the workflows. Is there a way I can automate this? Meaning when information is imported from Splunk into the Description field such as: dest_ip, src_ip, can this information be auto-populated into the IOC Scratchpad so it will get populated into the Observables tab? Or circumvent the IOC Scratchpad entirely, because all I care about is getting the information that is in the Description field to get imported automatically into the Observables section.

I have found the Handle Deprecated Observable Fields business rule and was trying to see if that would solve my problem here.

Thank you,

Neil Mitchell

Labels:
0 Helpfuls
  • 3,923 Views
5 REPLIES 5

arpitt
Tera Expert

‎03-17-2020 01:07 AM

Hi Neil,

If the source of created incidents is splunk integration then you can ask the splunk team to send the respective source ip/destination ip or malware hash details in the OOB fields of ip and hash in security incident which will automatically create the observable.

 

Regards,

Arpit Taneja