FR: Parse Splunk Multi-value field observables when creating Incidents/Incident Response #8
Labels
feature
use for describing a new feature to develop
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am requesting when using an Alert to create an Incident or Incident Response, the TA parses all observables in an observable field if the field is multi-valued. Example Splunk stats results screenshot below.
Currently:
Based on the screenshot below the TA would create 6 Incidents/Incident Responses. However only the 2 incidents that have single IPs in the "octi_ip" field would get the observable attached to the event. The incidents that had multi-value "octi_ip" fields had 0 observables added to the incident.
Expected:
Based on the screenshot below the TA would create 6 Incidents/Incident Responses. Each IP value in the "octi_ip" field would be added to the incident as a distinct observable.
Reasoning:
Instead of creating potentially hundreds of incidents with 1 observable in them, we can bucket them by related information in Splunk so that an analysts does not have to combine the incidents manually into an incident response container.
The text was updated successfully, but these errors were encountered: