Splunk connector: Support of "url-domain" splunk CIM field for STIX2.1 "domain-name" pattern

opencybersecurityalliance / stix-shifter

This project consists of an open source library allowing software to connect to data repositories using STIX Patterning, and return results as STIX Observations.

https://stix-shifter.readthedocs.io

Other

229 stars 233 forks source link

Splunk connector: Support of "url-domain" splunk CIM field for STIX2.1 "domain-name" pattern #1741

Open romain-filigran opened 2 weeks ago

romain-filigran commented 2 weeks ago

When converting a STIX-pattern into a Splunk query, it appears that the stix-pattern "domain-name" is not associated to the "url_domain" field present in the Web CIM Splunk model. Does it make sense to you to add this field support?

DerekRushton commented 2 weeks ago

I'd need to see an example to know for sure, but chances are that it would make sense. Can you provide a sanitized example that can be used as a reference?

romain-filigran commented 2 weeks ago

Something like that ? It's an example of a Squid log ingested with the CIM Web/Proxy Splunk model.

splunk_log_Web_Proxy_CIM_model.json

DerekRushton commented 2 weeks ago

When I have a chance I'll take a look and see if it will work. As long as it's in the format that gets returned from the API it should work. Mostly looking to ensure that when the change is made we have a way to verify that it works.