Current ThreatQ Version Filter
CIM Model Matching
The ThreatQuotient App for Splunk runs in the Datamodel Search mode when you are taking advantage of Splunk's CIM and mapping your logs and events to various data models provided by Splunk.
The following table summarizes how the matching algorithm will match specific data model fields to specific indicator types in ThreatQuotient.
ThreatQ indicator type to CIM field map for the matching algorithm
| CIM Data Models | Data Model Fields | ThreatQ Indicator Types Matched |
|---|---|---|
| Authentication | Authentication.src_user | Username |
| Authentication.user | Username | |
| Certificates | Certificates.All_Certificates.SSL.ssl_hash | SHA-1, SHA-256, SHA-384, SHA- 512 |
| Certificates.All_Certificates.SSL.ssl_issuer_email | Email Address | |
| Certificates.All_Certificates.SSL.ssl_subject_ email | Email Address | |
| Certificates.All_Certificates.SSL.ssl_subject_ common_name | String | |
| Certificates.All_Certificates.SSL.ssl_issuer_common_name | String | |
| Certificates.All_Certificates.SSL.ssl_subject_ organization | String | |
| Certificates.All_Certificates.SSL.ssl_issuer_ organization | String | |
| Certificates.All_Certificates.SSL.ssl_serial | String | |
| Certificates.All_Certificates.SSL.ssl_subject_ unit | String | |
| Certificates.All_Certificates.SSL.ssl_issuer_unit | String | |
| Endpoint | Endpoint.Services.service | Service Name |
| Endpoint.Processes.process_name | Service Name | |
| Endpoint.Filesystem.file_name | Filename | |
| Endpoint.Filesystem.file_hash | SHA-1, SHA-256, SHA-384, SHA-512 | |
| Email.All_Email.file_name | Filename | |
| Email.All_Email.file_hash | SHA-1, SHA-256, SHA-384, SHA-512 | |
| Email.All_Email.subject | Email Subject | |
| Email.All_Email.src_user | Email Address | |
| Intrusion_Detection | Intrusion_Detection.IDS_Attacks.src | IP Address, IPv6 Address |
| Intrusion_Detection.IDS_Attacks.signature | String | |
| Intrusion_Detection.IDS_Attacks.user | Username | |
| Inventory | All_Inventory.User.user | Username |
| Malware | Malware.Malware_Attacks.file_name | Filename |
| Malware.Malware_Attacks.file_hash | SHA-1, SHA-256, SHA-384, SHA- 512 | |
| Malware.Malware_Attacks.signature | String | |
| Malware.Malware_Attacks.sender | Email Address | |
| Malware.Malware_Attacks.src | IP Address, IPv6 Address | |
| Malware.Malware_Attacks.user | Username | |
| Network_Traffic | Network_Traffic.All_Traffic.src | IP Address, IPv6 Address |
| Network Resolution (DNS) | Network_Resolution.DNS.query | FQDN, String |
| Network_Resolution.DNS.answer | FQDN, String | |
| Updates | Updates.Updates.file_name | Filename |
| Updates.Updates.file_hash | SHA-1, SHA-256, SHA-384, SHA- 512 | |
| Web | Web.Web.user | Username |
| Web.Web.http_referrer | URL | |
| Web.Web.url | URL | |
| Web.Web.http_user_agent | User-agent | |
| Web.Web.src | IP Address, IPv6 Address | |
| Web.Web.dest | IP Address, IPv6 Address | |
| Incident_Management | Incident_Management.Notable_Events.src | IP Address, IPv6 Address |
| Incident_Management.Suppressed_Notable_ Events.src | IP Address, IPv6 Address | |
| Incident_Management.Notable_Event_Suppressions. Suppression_Audit.signature |
String | |
| Incident_Management.Notable_Event_Suppressions. Suppression_Audit_Expired.signature |
String | |
| Incident_Management.Notable_Event_Suppressions. Suppression_Audit.user |
Username |