All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Anomali Threatstream App: Integration and DA-ESS-ThreatIntelligence Data Model

adalbor
Builder
‎06-27-2019 08:44 AM

Hey All,

We currently use the Anomali Threatstream app in Enterprise Security along with an on-premise integrator to pull our CTI down.

The data is imported great and works awesome with the Threatstream app.

I would like to see if it's possible to integrate this data with ES itself so it can be leveraged in the Security Intelligence > Threat Intelligence sections and whatever else in ES uses that data model.

I see that anomali creates a summary index with their data but all of the fields are different from what is in the DA-ESS-ThreatIntelligence data model. Was hoping to not have to reinvent the wheel here.

Does anyone have any experience setting this up or have any recommendations?

0 Karma
Reply

starcher
SplunkTrust
SplunkTrust
‎06-27-2019 11:04 AM

You should approach the vendor on their ES integration. They have known for a long time they do not integrate well with the ES threat intel model. If you are going to cook it yourself. you need to cook off csv lookup files from their data and map those for ES Threat Intel ingestion yourself. You can sneak a couple of fields that are not in the intel framework in through doing KV pairs in the description field in some cases. just be careful with that. And you will have to write your own macro to break it back out for use in a search.

0 Karma
Reply

adalbor
Builder
‎06-28-2019 12:28 PM

Yep I hit them up at the same time as I posted this.
They actually said they are working on it in their next release but they don't have an ETA.
Thanks for your response!

0 Karma
Reply

adalbor
Builder
‎07-17-2019 11:21 AM

Just to add and mark as complete.

Their newest app version 6.4 has the integration built in.

All you have to do is rerun setup, tell it to use CIM data models, and check that Upload to ES Threat Intelligence Framework is ticked within:
Settings -> Data Inputs -> Anomali IOC Ingestion -> threatstream_app

Once that stuff was done it worked like a charm.

0 Karma
Reply
Get Updates on the Splunk Community!

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...

We understand that your initial experience with getting data into Splunk Observability Cloud is crucial as it ...