Reporting Sightings in ThreatQ
A sighting in Splunk is evidence that an indicator from ThreatQ was seen in one or more events in Splunk. This is important information for an analyst that can be reported back in the form of an Event.
Single Event for Each Sighted Indicator
ThreatQ captures all sightings for an indicator in a single event. When more sightings are detected for the same indicator, certain attributes for that event are updated. This allows the analyst to gather context on sightings for that indicator.
Multiple Events for Each Sighted Indicator
If multiple sightings for the event are seen during the same time period, all sightings will be captured in a single event. However, if more sightings are seen in the future for the same indicator, a new event will be created in ThreatQ.
See the Sighting Event Configuration instructions under the Installing the App Component section (App Configuration tab) for more details.
The following attributes are recorded for the event.
| Attribute | Description |
|---|---|
| First Seen | Timestamp when the first sighting for this indicator was recorded in Splunk. This attribute does not change. |
| Last Seen | Timestamp when the latest sighting for this indicator is recorded in Splunk. This attribute updates as newer sightings are detected. |
| Count | The total count of all sightings recorded for this indicator starting from the time First Seen until Last Seen. |
| Splunk URL | The URL that allows the analyst to view all sightings for this indicator in Splunk starting from First Seen until Last Seen. |
| Datamodel Name | The Datamodel name will be included if the matching was performed using a datamodel. |
| Splunk Custom Fields | The custom fields matching what is in the Splunk Custom Fields configuration setting will be included. |
The latest matched raw event from Splunk will also be added as the description if the raw matching is enabled and the app is configured to send the latest event to ThreatQ.
The screen capture below shows an example event recorded in ThreatQuotient by the Splunk App.
The following contextual data is added to the indicator:
| Attribute | Description |
|---|---|
| Splunk Sighting Timestamp | When the latest sighting for this indicator was recorded in Splunk. |
| Match Count | The total count of all sightings recorded for this indicator. |
| Source | Splunk will be added as the Source for this indicator. |