topic Splunk Enterprise Security 4.0.1: How to import TAXII Observables defined Using Cybox Regex Syntax? in Splunk Enterprise Security

Splunk Enterprise Security 4.0.1: How to import TAXII Observables defined Using Cybox Regex Syntax?

johnmccash — Wed, 17 Feb 2016 21:43:22 GMT

I'm running Splunk Enterprise Security 4.0.1, and trying to import and match against Observables defined using Cybox Regex syntax and stored in a TAXII server. The Observables appear to be importing into ES, but I don't think they're being interpreted as Regular Expressions. Here's the relevant portion of one of the Observables. (I'd attach the whole file, but I apparently don't have enough Karma yet.)

<stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="NTRS:observable-fb042acb-2427-4c37-9515-cfdfa75aa344">
        <cybox:Title>Email : ATTN: Invoice J-[0-9]{6,6}</cybox:Title>
        <cybox:Description>Dridex email subject regex</cybox:Description>
        <cybox:Object id="NTRS:Email-770c3cec-51dc-4ead-bae4-bc67bed66ae0">
            <cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
                <EmailMessageObj:Header>
                    <EmailMessageObj:From xsi:type="AddressObj:AddressObjectType" category="e-mail">
                        <AddressObj:Address_Value/>
                    </EmailMessageObj:From>
                    <EmailMessageObj:Subject pattern_type="Regex">ATTN: Invoice J-[0-9]{6,6}</EmailMessageObj:Subject>
                    <EmailMessageObj:User_Agent/>
                    <EmailMessageObj:X_Mailer/>
                </EmailMessageObj:Header>
                <EmailMessageObj:Email_Server/>
                <EmailMessageObj:Raw_Body><![CDATA[]]></EmailMessageObj:Raw_Body>
                <EmailMessageObj:Raw_Header><![CDATA[]]></EmailMessageObj:Raw_Header>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</stix:Observables>

Is this something that's supposed to work, or can be made to?

Thanks
John

Re: Splunk Enterprise Security 4.0.1: How to import TAXII Observables defined Using Cybox Regex Syntax?

LukeMurphey — Wed, 17 Feb 2016 22:17:49 GMT

ES' Threat Intelligence currently doesn't support regular expression patterns.

Re: Splunk Enterprise Security 4.0.1: How to import TAXII Observables defined Using Cybox Regex Syntax?

johnmccash — Thu, 18 Feb 2016 19:12:29 GMT

Hey Luke - long time no talk. I didn't know you were over at Splunk now. Do you know if this is functionality that's currently on the roadmap?
Thanks
John

Re: Splunk Enterprise Security 4.0.1: How to import TAXII Observables defined Using Cybox Regex Syntax?

LukeMurphey — Fri, 19 Feb 2016 18:58:58 GMT

It isn't yet. I initiated a discussion with PM and the engineer who wrote it in order to determine how feasible it is.

Re: Splunk Enterprise Security 4.0.1: How to import TAXII Observables defined Using Cybox Regex Syntax?

johnmccash — Mon, 29 Feb 2016 15:34:47 GMT

Awesome! I think this can make a huge difference, as a lot of useful indicators can't be accurately described without this sort of capability.
Thanks a ton, and let me know what gets decided.
John

Re: Splunk Enterprise Security 4.0.1: How to import TAXII Observables defined Using Cybox Regex Syntax?

johnmccash — Fri, 15 Apr 2016 15:08:23 GMT

It's been almost two months... Any update?