[Feat] IoC Column Fields Selectable

[8ear]

Why

Not every company wants the same data in its Splunk system, so different TIE columns may not be needed in the system. However, each column field costs Splunk index volume, download and processing time.

What

Every available column field should be selectable via the web interface and only the activated column fields should be used. The default should be selected and the rest should be available via advanced setting button.

The following JSON elements are available in the TIE and should be usable:

• max_confidence
• source_pseudonyms
• ioc_attributes
• n_occurencies
• value
• created_at
• enrich
• min_confidence
• comment
• enrichment_requested
• event_ids
• hotness
• enriched_at
• updated_at
• data_type
• max_severity
• first_seen
• categories
• actors
• families
• last_seen
• event_attributes
• min_severity

Default activated:

• value
• min_severity
• max_severity
• min confidence
• max_confidence
• actor
• familiy
• category
• n_occurences
• source_pseudonyms

A great example can be:

• https://splunkbase.splunk.com/app/3457/

How

• Add parameter to tie2index.py script
• Add parameter to web configuration
• Test