@@ -23,3 +23,88 @@ The Splunk SIEM App is available in Splunkbase. You can download it from [here](
2323- Test it by running the query ` | makeresults | eval ip="8.8.8.8" | cssmoke ipfield="ip" `
2424
2525![ Example Output] ( /img/splunk_siem/splunk_siem_example.png )
26+
27+ ![ Example Output (2)] ( /img/splunk_siem/splunk_siem_example_2.png )
28+
29+ ## Enriched Data
30+
31+ The following fields are automatically enriched using ** CrowdSec** intelligence:
32+
33+ (Please refer to the [ CrowdSec CTI API documentation] ( https://docs.crowdsec.net/u/cti_api/taxonomy/cti_object/ ) for more details on each field.)
34+
35+
36+ ### Reputation & Classification
37+
38+ * ` crowdsec_reputation ` : IP reputation
39+ * ` crowdsec_confidence ` : Confidence level
40+ * ` crowdsec_ip_range_score ` : The malevolence score of the IP range the IP belongs to
41+ * ` crowdsec_ip ` : Original IP address
42+ * ` crowdsec_ip_range ` : IP range
43+ * ` crowdsec_ip_range_24 ` : /24 range of the IP address
44+ * ` crowdsec_ip_range_24_reputation ` : Reputation of the range
45+ * ` crowdsec_ip_range_24_score ` : Score for the range
46+ * ` crowdsec_as_name ` : Autonomous system (AS) name
47+ * ` crowdsec_as_num ` : Autonomous system (AS) number
48+ * ` crowdsec_false_positives ` : Historical false positives
49+ * ` crowdsec_classifications ` : Classifications associated with the IP
50+
51+ ### Geolocation
52+
53+ * ` crowdsec_country ` : Country
54+ * ` crowdsec_city ` : City
55+ * ` crowdsec_latitude ` : Latitude
56+ * ` crowdsec_longitude ` : Longitude
57+ * ` crowdsec_reverse_dns ` : Reverse DNS result
58+
59+ ### Behavioral & Threat Intelligence
60+
61+ * ` crowdsec_behaviors ` : A list of the attack categories for which the IP was reported
62+ * ` crowdsec_mitre_techniques ` : A list of Mitre techniques associated with the IP
63+ * ` crowdsec_cves ` : A list of CVEs for which the IP has been reported for
64+ * ` crowdsec_attack_details ` : A more exhaustive list of the scenarios for which a given IP was reported
65+ * ` crowdsec_target_countries ` : The top 10 countries targeted by the IP
66+ * ` crowdsec_background_noise ` : The level of background noise of an IP address is an indicator of its internet activity intensity
67+ * ` crowdsec_background_noise_score ` : CrowdSec intelligence calculated score
68+ * ` crowdsec_references ` : A list of the CrowdSec Blockists the IP belongs to
69+
70+ ### Activity History
71+
72+ * ` crowdsec_first_seen ` : Date of the first time this IP was reported
73+ * ` crowdsec_last_seen ` : Date of the last time this IP was reported
74+ * ` crowdsec_full_age ` : Delta in days between first seen and today
75+ * ` crowdsec_days_age ` : Delta in days between first and last seen timestamps
76+
77+ ### Threat Scores Over Time
78+
79+ #### Overall
80+
81+ * ` crowdsec_overall_aggressiveness `
82+ * ` crowdsec_overall_threat `
83+ * ` crowdsec_overall_trust `
84+ * ` crowdsec_overall_anomaly `
85+ * ` crowdsec_overall_total `
86+
87+ #### Last Day
88+
89+ * ` crowdsec_last_day_aggressiveness `
90+ * ` crowdsec_last_day_threat `
91+ * ` crowdsec_last_day_trust `
92+ * ` crowdsec_last_day_anomaly `
93+ * ` crowdsec_last_day_total `
94+
95+ #### Last Week
96+
97+ * ` crowdsec_last_week_aggressiveness `
98+ * ` crowdsec_last_week_threat `
99+ * ` crowdsec_last_week_trust `
100+ * ` crowdsec_last_week_anomaly `
101+ * ` crowdsec_last_week_total `
102+
103+ #### Last Month
104+
105+ * ` crowdsec_last_month_aggressiveness `
106+ * ` crowdsec_last_month_threat `
107+ * ` crowdsec_last_month_trust `
108+ * ` crowdsec_last_month_anomaly `
109+ * ` crowdsec_last_month_total `
110+
0 commit comments