All Apps and Add-ons

Anomali Threatstream App: Integration and DA-ESS-ThreatIntelligence Data Model

adalbor
Builder

Hey All,

We currently use the Anomali Threatstream app in Enterprise Security along with an on-premise integrator to pull our CTI down.

The data is imported great and works awesome with the Threatstream app.

I would like to see if it's possible to integrate this data with ES itself so it can be leveraged in the Security Intelligence > Threat Intelligence sections and whatever else in ES uses that data model.

I see that anomali creates a summary index with their data but all of the fields are different from what is in the DA-ESS-ThreatIntelligence data model. Was hoping to not have to reinvent the wheel here.

Does anyone have any experience setting this up or have any recommendations?

0 Karma

starcher
Influencer

You should approach the vendor on their ES integration. They have known for a long time they do not integrate well with the ES threat intel model. If you are going to cook it yourself. you need to cook off csv lookup files from their data and map those for ES Threat Intel ingestion yourself. You can sneak a couple of fields that are not in the intel framework in through doing KV pairs in the description field in some cases. just be careful with that. And you will have to write your own macro to break it back out for use in a search.

0 Karma

adalbor
Builder

Yep I hit them up at the same time as I posted this.
They actually said they are working on it in their next release but they don't have an ETA.
Thanks for your response!

0 Karma

adalbor
Builder

Just to add and mark as complete.

Their newest app version 6.4 has the integration built in.

All you have to do is rerun setup, tell it to use CIM data models, and check that Upload to ES Threat Intelligence Framework is ticked within:
Settings -> Data Inputs -> Anomali IOC Ingestion -> threatstream_app

Once that stuff was done it worked like a charm.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...