Splunk Enterprise Security

FS-ISAC Feeds Not Showing in Threat Artifacts

Communicator

Good day,

I have enabled FS-ISAC Threat Intelligence feed to our environment. I've confirmed that the feed was successfully when I checked the Threat Intelligence Audit dashboard FS-ISAC feed was there and has a download status Retrieved document from TAXII feed, I also got the result status="Finished parsing STIX documents" success="159" failed="0" when using the search index=_internal sourcetype="threatintel:manager" "*fsisac*", however when I checked the Threat Artifacts dashboard the FS-ISAC feed was not there. How can I confirm if Splunk ES is using the FS-ISAC feed? Have I missed a step in adding new threat intelligence via TAXII feed? Should I create lookup and Saved Search for this? Thanks

0 Karma

Path Finder

Something like the following should allow you to see the indicators in the various KV Stores, you can replace edge*xml
with something like *fs_isac
as long as that is included in the name of the threat download you created

| inputlookup file_intel
| append [ inputlookup ip_intel ]
| append [ inputlookup http_intel ]
| search threat_key=*edge*xml
| eval time=strftime(time,"%F %T")

0 Karma

SplunkTrust
SplunkTrust

Hi @dantimola,

Have you tried looking into the appropriate kvstore collection, maybe the ip_intel or http_intel? You should be able to see your artifacts there using |inputlookup ip_intel . If they're not then you're missing something.

You can find the list of intels to look into here :
https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Supportedthreatinteltypes

0 Karma

Splunk Employee
Splunk Employee

When stuff is downloaded we log it in to threatlist.log

When stuff is parsed we log it in to threat_intelligence_manager.log

If parsing is successful we write it to kvstore

If we write to kvstsore Lookup Gen searches are triggered by the threat_intellitence_manager, and the data is copied over to the DA-ESS-ThreatIntelligence/lookups/threatintel_by_foo.csv's

When the "Threat Gen" searches run, if enabled, we take the info found from those searches and perform lookups against those threatintel_by_foo.csv's, if a match is made we write an entry into the threat_activity index.

So as pointed out. What do the logs say for the threatlist.log / threat_intelligence_manager.log

This is the best starting point to understand if in fact you have even configured your inputs properly to be able to download the data:

as an example log entries like this in threatlist.log indicate your have cert problems:
2019-10-01 16:53:42,357+0000 INFO pid=140992 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC"
2019-10-01 16:53:42,410+0000 INFO pid=140992 tid=MainThread file=init.py:poll_taxii_11:46 | Certificate not found - falling back to AUTH_BASIC.
2019-10-01 16:53:42,410+0000 INFO pid=140992 tid=MainThread file=
init_.py:_poll_taxii_11:68 | Auth Type: AUTH_BASIC

Paste your log entries here so we might be able to offer up some assistance, in addition your inputs.conf config would be helpful as well so we can see your postargs... make sure you remove your creds/pass

0 Karma

Motivator

Do you see the threat intelligence files in the directory that is mentioned the 'Threat Intelligence Management' - Data Inputs page?

Eg: In '$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel' directory.

0 Karma