@@ -17,7 +17,10 @@ The Splunk SIEM App is available in Splunkbase. You can download it from [here](
1717
1818- Complete the App setup by providing your API Key
1919
20- ** N.B** : If you wish to change your key at a later date, you can do so on this same page.
20+ ::: info
21+ The batching option cannot be used with free CTI API keys. Batching allows to query up to 100 IPs at a time and is needed for any larger scale enrichments.
22+ :::
23+
2124
2225![ Setup View] ( /img/splunk_siem/splunk_siem_api_key_setup.png )
2326
@@ -26,87 +29,111 @@ The Splunk SIEM App is available in Splunkbase. You can download it from [here](
2629
2730![ Example Output] ( /img/splunk_siem/splunk_siem_example.png )
2831
32+
33+ ## Fields filtering
34+
35+ ` cssmoke ` supports a ` fields ` argument to restrict outputed fields, separated by commas.
36+
37+ ```
38+ cssmoke ipfield="ip" fields="confidence,reputation,cves"
39+ ```
40+
2941![ Example Output (2)] ( /img/splunk_siem/splunk_siem_example_2.png )
3042
43+ ## Multiple IP fields
44+
45+ All output fields have the prefix ` crowdsec_{field}_ ` . For event with multiple IPs (ie. ` ipsrc ` , ` ipdst ` ), the outputs will be in ` crowdsec_ipsrc_reputation ` , ` crowdsec_ipdst_reputation ` etc.
46+
47+ ![ Example Output (3)] ( /img/splunk_siem/splunk_siem_multiple_ips.png )
48+
49+
50+ ::: info
51+ Fields containing multiple IP values aren't supported.
52+ :::
53+
3154## Enriched Data
3255
3356The following fields are automatically enriched using ** CrowdSec** intelligence:
3457
3558(Please refer to the [ CrowdSec CTI API documentation] ( https://docs.crowdsec.net/u/cti_api/taxonomy/cti_object/ ) for more details on each field.)
3659
60+ ::: info
61+
62+ All output fields are prefixed with ` crowdsec_{field}_ ` .
63+ :::
3764
3865### Reputation & Classification
3966
40- * ` crowdsec_reputation ` : IP reputation
41- * ` crowdsec_confidence ` : Confidence level
42- * ` crowdsec_ip_range_score ` : The malevolence score of the IP range the IP belongs to
43- * ` crowdsec_ip ` : Original IP address
44- * ` crowdsec_ip_range ` : IP range
45- * ` crowdsec_ip_range_24 ` : /24 range of the IP address
46- * ` crowdsec_ip_range_24_reputation ` : Reputation of the range
47- * ` crowdsec_ip_range_24_score ` : Score for the range
48- * ` crowdsec_as_name ` : Autonomous system (AS) name
49- * ` crowdsec_as_num ` : Autonomous system (AS) number
50- * ` crowdsec_false_positives ` : Historical false positives
51- * ` crowdsec_classifications ` : Classifications associated with the IP
67+ * ` reputation ` : IP reputation
68+ * ` confidence ` : Confidence level
69+ * ` ip_range_score ` : The malevolence score of the IP range the IP belongs to
70+ * ` ip ` : Original IP address
71+ * ` ip_range ` : IP range
72+ * ` ip_range_24 ` : /24 range of the IP address
73+ * ` ip_range_24_reputation ` : Reputation of the range
74+ * ` ip_range_24_score ` : Score for the range
75+ * ` as_name ` : Autonomous system (AS) name
76+ * ` as_num ` : Autonomous system (AS) number
77+ * ` false_positives ` : Historical false positives
78+ * ` classifications ` : Classifications associated with the IP
5279
5380### Geolocation
5481
55- * ` crowdsec_country ` : Country
56- * ` crowdsec_city ` : City
57- * ` crowdsec_latitude ` : Latitude
58- * ` crowdsec_longitude ` : Longitude
59- * ` crowdsec_reverse_dns ` : Reverse DNS result
82+ * ` country ` : Country
83+ * ` city ` : City
84+ * ` latitude ` : Latitude
85+ * ` longitude ` : Longitude
86+ * ` reverse_dns ` : Reverse DNS result
6087
6188### Behavioral & Threat Intelligence
6289
63- * ` crowdsec_behaviors ` : A list of the attack categories for which the IP was reported
64- * ` crowdsec_mitre_techniques ` : A list of Mitre techniques associated with the IP
65- * ` crowdsec_cves ` : A list of CVEs for which the IP has been reported for
66- * ` crowdsec_attack_details ` : A more exhaustive list of the scenarios for which a given IP was reported
67- * ` crowdsec_target_countries ` : The top 10 countries targeted by the IP
68- * ` crowdsec_background_noise ` : The level of background noise of an IP address is an indicator of its internet activity intensity
69- * ` crowdsec_background_noise_score ` : CrowdSec intelligence calculated score
70- * ` crowdsec_references ` : A list of the CrowdSec Blockists the IP belongs to
90+ * ` behaviors ` : A list of the attack categories for which the IP was reported
91+ * ` mitre_techniques ` : A list of Mitre techniques associated with the IP
92+ * ` cves ` : A list of CVEs for which the IP has been reported for
93+ * ` attack_details ` : A more exhaustive list of the scenarios for which a given IP was reported
94+ * ` target_countries ` : The top 10 countries targeted by the IP
95+ * ` background_noise ` : The level of background noise of an IP address is an indicator of its internet activity intensity
96+ * ` background_noise_score ` : CrowdSec intelligence calculated score
97+ * ` references ` : A list of the CrowdSec Blockists the IP belongs to
7198
7299### Activity History
73100
74- * ` crowdsec_first_seen ` : Date of the first time this IP was reported
75- * ` crowdsec_last_seen ` : Date of the last time this IP was reported
76- * ` crowdsec_full_age ` : Delta in days between first seen and today
77- * ` crowdsec_days_age ` : Delta in days between first and last seen timestamps
101+ * ` first_seen ` : Date of the first time this IP was reported
102+ * ` last_seen ` : Date of the last time this IP was reported
103+ * ` full_age ` : Delta in days between first seen and today
104+ * ` days_age ` : Delta in days between first and last seen timestamps
78105
79106### Threat Scores Over Time
80107
81108#### Overall
82109
83- * ` crowdsec_overall_aggressiveness `
84- * ` crowdsec_overall_threat `
85- * ` crowdsec_overall_trust `
86- * ` crowdsec_overall_anomaly `
87- * ` crowdsec_overall_total `
110+ * ` overall_aggressiveness `
111+ * ` overall_threat `
112+ * ` overall_trust `
113+ * ` overall_anomaly `
114+ * ` overall_total `
88115
89116#### Last Day
90117
91- * ` crowdsec_last_day_aggressiveness `
92- * ` crowdsec_last_day_threat `
93- * ` crowdsec_last_day_trust `
94- * ` crowdsec_last_day_anomaly `
95- * ` crowdsec_last_day_total `
118+ * ` last_day_aggressiveness `
119+ * ` last_day_threat `
120+ * ` last_day_trust `
121+ * ` last_day_anomaly `
122+ * ` last_day_total `
96123
97124#### Last Week
98125
99- * ` crowdsec_last_week_aggressiveness `
100- * ` crowdsec_last_week_threat `
101- * ` crowdsec_last_week_trust `
102- * ` crowdsec_last_week_anomaly `
103- * ` crowdsec_last_week_total `
126+ * ` last_week_aggressiveness `
127+ * ` last_week_threat `
128+ * ` last_week_trust `
129+ * ` last_week_anomaly `
130+ * ` last_week_total `
104131
105132#### Last Month
106133
107- * ` crowdsec_last_month_aggressiveness `
108- * ` crowdsec_last_month_threat `
109- * ` crowdsec_last_month_trust `
110- * ` crowdsec_last_month_anomaly `
111- * ` crowdsec_last_month_total `
134+ * ` last_month_aggressiveness `
135+ * ` last_month_threat `
136+ * ` last_month_trust `
137+ * ` last_month_anomaly `
138+ * ` last_month_total `
112139
0 commit comments