[Feat] IoC Column Fields Selectable #5
Description
Why
Not every company wants the same data in its Splunk system, so different TIE columns may not be needed in the system. However, each column field costs Splunk index volume, download and processing time.
What
Every available column field should be selectable via the web interface and only the activated column fields should be used. The default should be selected and the rest should be available via advanced setting button.
The following JSON elements are available in the TIE and should be usable:
- max_confidence
- source_pseudonyms
- ioc_attributes
- n_occurencies
- value
- created_at
- enrich
- min_confidence
- comment
- enrichment_requested
- event_ids
- hotness
- enriched_at
- updated_at
- data_type
- max_severity
- first_seen
- categories
- actors
- families
- last_seen
- event_attributes
- min_severity
Default activated:
- value
- min_severity
- max_severity
- min confidence
- max_confidence
- actor
- familiy
- category
- n_occurences
- source_pseudonyms
A great example can be:
How
- Add parameter to tie2index.py script
- Add parameter to web configuration
- Test