About Sightings and Feedback

One of the primary features of this application is to identify sightings and report them back to ThreatQ.

Sighting in this context is defined as evidence that a ThreatQ Indicator was discovered in one or more of the events in Splunk collected via other sources. Recording these sightings and reporting them back to ThreatQ provides analysts with important context around indicators included in their threat intelligence holdings.

The following steps summarize how indicators are stored in Splunk and how sightings are reported back to ThreatQ.

1. The Input job configured on ThreatQuotient Add-on pulls indicators from ThreatQ.
2. The Add-On sends the indicators to the indexer which indexes the indicators to the default index (user can override) or KVStore.

   You can configure how data is saved, to the designed index or KVStore, via the Enable Index checkbox on the Add ThreatQ Indicators form. See the Creating a New Input section of this guide for more details.

3. The periodic saved search job threatq_match_indicators finds evidence of sightings of all indicators in the master lookup table against all events in Splunk (as filtered via various configurable macros described above in this section).

   If evidence of sightings is found for a specific indicator, it is moved to the match lookup table.

4. Simultaneously, another periodic saved search job threatq_update_matched_ indicators finds more sightings for all indicators from the match lookup table against all events in Splunk (as filtered by the same configurable macros).
5. A periodic saved search threatq_consume_indicators will create events in ThreatQ to represent evidence of sightings in Splunk.
6. The periodic saved search job threatq_update_retired_indicators takes all indicators that are not updated in the past 90 days out of both the master lookup table and matched lookup table.