Detection Engineering I • Room 3

Threat Objects

When designing a detection, the engineer must explicitly define the "Threat Object"—the artifact (IP, hash, filename) representing the malicious activity.

Extracting this allowing downstream integration with Threat Intelligence and SOAR playbooks for automated blocking.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

You are writing a correlation search. Use the `eval` command to create a new field called `threat_object` and set its value to the existing `dest_ip` field.

Splunk Search Bar