Previously, setting up the add-on it was possible to specify an integer
for severity and confidence. The IoCs would then be filtered by
allowing all what is equal or greater as the value. This works good
but it does not allow to have a finer grained result which is allowed
through the TIE API.
We add the possibility to specify ranges for Severity and Confidence.
This means that one can specify for example 1-5, excluding IoCs with
severity 0 or 6. Similar with Confidence, 30-80 will only get you
the IoCs with confidence between 30 and 80. If you want all but 100
confidence, you can do -99.
Previous configured values are supported and will be used. When before
the value was 1, this means now as a range 1-.
The filtering has been revamped, and the big IF-statement is no more.
It is replaced with code which is checking more whether the values of
the filter made sense.
The Splunk setup.xml has been extended with more useful information
about how to configure. We could not figure out how to show a validation
message, so we went on creating a message to check the logs instead.
Logging was reworked so that dcso_tie.log now contains JSON entries.
This can be indexed through Splunk itself. Timestamps are also RFC 3336
compliant and more JS friendly.
Previously, setting up the add-on it was possible to specify an integer for severity and confidence. The IoCs would then be filtered by allowing all what is equal or greater as the value. This works good but it does not allow to have a finer grained result which is allowed through the TIE API.
We add the possibility to specify ranges for Severity and Confidence. This means that one can specify for example
1-5
, excluding IoCs with severity 0 or 6. Similar with Confidence, 30-80 will only get you the IoCs with confidence between 30 and 80. If you want all but 100 confidence, you can do-99
.Previous configured values are supported and will be used. When before the value was
1
, this means now as a range1-
.The filtering has been revamped, and the big IF-statement is no more. It is replaced with code which is checking more whether the values of the filter made sense.
The Splunk
setup.xml
has been extended with more useful information about how to configure. We could not figure out how to show a validation message, so we went on creating a message to check the logs instead.Logging was reworked so that
dcso_tie.log
now contains JSON entries. This can be indexed through Splunk itself. Timestamps are also RFC 3336 compliant and more JS friendly.Resolves #8