Re: FS-ISAC Feeds Not Showing in Threat Artifacts

dantimola · ‎09-13-2019

Good day,

I have enabled FS-ISAC Threat Intelligence feed to our environment. I've confirmed that the feed was successfully when I checked the Threat Intelligence Audit dashboard FS-ISAC feed was there and has a download status Retrieved document from TAXII feed, I also got the result status="Finished parsing STIX documents" success="159" failed="0" when using the search index=_internal sourcetype="threatintel:manager" "*fsisac*", however when I checked the Threat Artifacts dashboard the FS-ISAC feed was not there. How can I confirm if Splunk ES is using the FS-ISAC feed? Have I missed a step in adding new threat intelligence via TAXII feed? Should I create lookup and Saved Search for this? Thanks

CSmoke · ‎12-16-2019

Something like the following should allow you to see the indicators in the various KV Stores, you can replace edge*xml
with something like *fs_isac as long as that is included in the name of the threat download you created

DavidHourani · ‎09-23-2019

Hi @dantimola,

Have you tried looking into the appropriate kvstore collection, maybe the ip_intel or http_intel? You should be able to see your artifacts there using |inputlookup ip_intel . If they're not then you're missing something.

You can find the list of intels to look into here :
https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Supportedthreatinteltypes

jwelch_splunk · ‎10-11-2019

When stuff is downloaded we log it in to threatlist.log

When stuff is parsed we log it in to threat_intelligence_manager.log

If parsing is successful we write it to kvstore

If we write to kvstsore Lookup Gen searches are triggered by the threat_intellitence_manager, and the data is copied over to the DA-ESS-ThreatIntelligence/lookups/threatintel_by_foo.csv's

When the "Threat Gen" searches run, if enabled, we take the info found from those searches and perform lookups against those threatintel_by_foo.csv's, if a match is made we write an entry into the threat_activity index.

So as pointed out. What do the logs say for the threatlist.log / threat_intelligence_manager.log

This is the best starting point to understand if in fact you have even configured your inputs properly to be able to download the data:

as an example log entries like this in threatlist.log indicate your have cert problems:
2019-10-01 16:53:42,357+0000 INFO pid=140992 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC"
2019-10-01 16:53:42,410+0000 INFO pid=140992 tid=MainThread file=init.py:poll_taxii_11:46 | Certificate not found - falling back to AUTH_BASIC.
2019-10-01 16:53:42,410+0000 INFO pid=140992 tid=MainThread file=init_.py:_poll_taxii_11:68 | Auth Type: AUTH_BASIC

Paste your log entries here so we might be able to offer up some assistance, in addition your inputs.conf config would be helpful as well so we can see your postargs... make sure you remove your creds/pass

jawaharas · ‎09-17-2019

Do you see the threat intelligence files in the directory that is mentioned the 'Threat Intelligence Management' - Data Inputs page?

Eg: In '$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel' directory.

infosec2012074 · ‎11-01-2020

even i am facing similar issue and dont see any file in "$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel"

FS-ISAC Feeds Not Showing in Threat Artifacts

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life