Hello,

I am trying to find a way to have the Observables tab/field be auto-populated with information that is imported into the Description field. As it stands, we get numerous alerts imported into SIRs with the Description field populated with a lot of information. What I am trying to do is get these IOC/observable information auto-populated into the Observables tab so workflows will get fired off.

Exploring this, I found that if I add information into the IOC Scratchpad tab, this will automatically populate the Observables tab, thus firing off the workflows. Is there a way I can automate this? Meaning when information is imported from Splunk into the Description field such as: dest_ip, src_ip, can this information be auto-populated into the IOC Scratchpad so it will get populated into the Observables tab? Or circumvent the IOC Scratchpad entirely, because all I care about is getting the information that is in the Description field to get imported automatically into the Observables section.

I have found the Handle Deprecated Observable Fields business rule and was trying to see if that would solve my problem here.

Thank you,

Neil Mitchell