DCSO / TIE-Splunk-TA

DCSO Threat Intelligence Engine (TIE) Add-On for Splunk v8

BSD 3-Clause "New" or "Revised" License

3 stars 2 forks source link

[Feat] Mark and exclude IoC which get an delete flag #8

Closed 8ear closed 4 years ago

8ear commented 5 years ago

Why

An IoC in Splunk has a long retention time, and if a user get today a IoC and tomorrow we know that this is a false positive we require a mechanism to exclude or delete the IoC at every search.

What

If an IoC get the delete flag exclude or delete the IoC.

Alternative we can run a search once a week to request all IoCs at TIE and check if the IoC have a delete flag and exist the IoC.

How

n/a

geertjanvdk commented 4 years ago

The current implementation with defaults in place, will actually not import non-malicious (severity==0). It will only import >= 1. There is no "deleted flag".

How

[x] Refactor the current filtering in tie2index.py so that it is actually readable.
[x] setup.xml: the severity should support ranges and validate them
[x] keep compatible with current configuration, without adding new
[x] document severity ranges in README and in setup.xml

geertjanvdk commented 4 years ago

We will also support ranges for confidence, then we have it all covered.