Splunk Enterprise Security

FS-ISAC Feeds Not Showing in Threat Artifacts

dantimola
Communicator

Good day,

I have enabled FS-ISAC Threat Intelligence feed to our environment. I've confirmed that the feed was successfully when I checked the Threat Intelligence Audit dashboard FS-ISAC feed was there and has a download status Retrieved document from TAXII feed, I also got the result status="Finished parsing STIX documents" success="159" failed="0" when using the search index=_internal sourcetype="threatintel:manager" "*fsisac*", however when I checked the Threat Artifacts dashboard the FS-ISAC feed was not there. How can I confirm if Splunk ES is using the FS-ISAC feed? Have I missed a step in adding new threat intelligence via TAXII feed? Should I create lookup and Saved Search for this? Thanks

CSmoke
Path Finder

Something like the following should allow you to see the indicators in the various KV Stores, you can replace edge*xml
with something like *fs_isac
as long as that is included in the name of the threat download you created

| inputlookup file_intel
| append [ inputlookup ip_intel ]
| append [ inputlookup http_intel ]
| search threat_key=*edge*xml
| eval time=strftime(time,"%F %T")

DavidHourani
Super Champion

Hi @dantimola,

Have you tried looking into the appropriate kvstore collection, maybe the ip_intel or http_intel? You should be able to see your artifacts there using |inputlookup ip_intel . If they're not then you're missing something.

You can find the list of intels to look into here :
https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Supportedthreatinteltypes

jwelch_splunk
Splunk Employee
Splunk Employee

When stuff is downloaded we log it in to threatlist.log

When stuff is parsed we log it in to threat_intelligence_manager.log

If parsing is successful we write it to kvstore

If we write to kvstsore Lookup Gen searches are triggered by the threat_intellitence_manager, and the data is copied over to the DA-ESS-ThreatIntelligence/lookups/threatintel_by_foo.csv's

When the "Threat Gen" searches run, if enabled, we take the info found from those searches and perform lookups against those threatintel_by_foo.csv's, if a match is made we write an entry into the threat_activity index.

So as pointed out. What do the logs say for the threatlist.log / threat_intelligence_manager.log

This is the best starting point to understand if in fact you have even configured your inputs properly to be able to download the data:

as an example log entries like this in threatlist.log indicate your have cert problems:
2019-10-01 16:53:42,357+0000 INFO pid=140992 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC"
2019-10-01 16:53:42,410+0000 INFO pid=140992 tid=MainThread file=init.py:poll_taxii_11:46 | Certificate not found - falling back to AUTH_BASIC.
2019-10-01 16:53:42,410+0000 INFO pid=140992 tid=MainThread file=
init_.py:_poll_taxii_11:68 | Auth Type: AUTH_BASIC

Paste your log entries here so we might be able to offer up some assistance, in addition your inputs.conf config would be helpful as well so we can see your postargs... make sure you remove your creds/pass

jawaharas
Motivator

Do you see the threat intelligence files in the directory that is mentioned the 'Threat Intelligence Management' - Data Inputs page?

Eg: In '$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel' directory.

infosec2012074
Explorer
  • even i am facing similar issue and dont see any file in "$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel"
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!