Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Splunk connector: Support of "url-domain" splunk CIM field for STIX2.1 "domain-name" pattern #1741

Open
romain-filigran opened this issue Oct 19, 2024 · 3 comments
Open

Splunk connector: Support of "url-domain" splunk CIM field for STIX2.1 "domain-name" pattern #1741

romain-filigran opened this issue Oct 19, 2024 · 3 comments

Comments

@romain-filigran
Copy link

When converting a STIX-pattern into a Splunk query, it appears that the stix-pattern "domain-name" is not associated to the "url_domain" field present in the Web CIM Splunk model.
Does it make sense to you to add this field support?
@DerekRushton
Copy link
Collaborator

I'd need to see an example to know for sure, but chances are that it would make sense. Can you provide a sanitized example that can be used as a reference?

@romain-filigran
Copy link
Author

Something like that ? It's an example of a Squid log ingested with the CIM Web/Proxy Splunk model.

splunk_log_Web_Proxy_CIM_model.json

@DerekRushton
Copy link
Collaborator

When I have a chance I'll take a look and see if it will work. As long as it's in the format that gets returned from the API it should work. Mostly looking to ensure that when the change is made we have a way to verify that it works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DerekRushton @romain-filigran