Splunk Enterprise Security

How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

cdupuis123
Path Finder

1st time configuring a feed in the Splunk App for Enterprise Security and I'm spinning my wheels. HELP 🙂 I have the Soltra server running and downloading the FS-ISAC feed, but how to I set it up in Splunk? By setup, I mean syntax in the Splunk URL & post arguments.

Thanks in advance!

cdupuis123
Path Finder

Getting closer! Splunk says I'm missing collection. Digging through the Soltra documentation again, case I missed something...

2015-11-02 14:36:19,798 ERROR pid=21869 tid=MainThread file=threatlist.py:download_taxii:248 | status="Exception when polling TAXII feed." Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 231, in download_taxii for count, content_block in enumerate(handler.run(args, handler_args)): File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/init.py", line 123, in run parsed_args = self.parse_args(args, handler_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/init_.py", line 95, in _parse_args raise TaxiiHandlerException('Invalid arguments for TAXII service (missing collection).') TaxiiHandlerException: Invalid arguments for TAXII service (missing collection).

0 Karma

klaxdal
Contributor

On the Soltra Edge Server:

1) Create your site : This is your connection to FS-ISAC with your various polling rules -
2) In the Feeds TAB create a new feed - This is what Spunk will connect to e.g create a feed called " MYFEED" http://127.0.0.1/taxii-discovery-service .
3) Make sure you have a user name, password and a trust group established

On the Splunk side :
1) your TAXII Server entry= IP address or Host Name of your SOLTRA Box
2) PORT 80
3) /taxii-discovery-service/ e.g. full url would be http://192.xxx.xxx.xxx/taxii-discovery-service/admin.MYFEED
4) Userid = which ever one your created associated to the new feed on Soltra
5) Password = Whatever password

Let me know how you make out .

amalkapuram
New Member

I need help in setting up Soltra credentials on Splunk- Where do I give my Soltra's username and password? In post arguments? Is so, what's the syntax? Please help

0 Karma

aliakseidzianis
Path Finder

Yes, in POST arguments.
collection="system.Default" earliest="-90d" taxii_username="user" taxii_password="pass"

0 Karma

amalkapuram
New Member

Thanks for your help. I see FSISAC data on Splunk Instance when I ssh into it, the feed got downloaded in ".xml" format. Now when I try to search for that data in Threat Activity or any other place I cant find it. How can I confirm that Splunk is able to parse and read this data?

Thanks in advance.

0 Karma

robert_miller
Path Finder

Were you able to figure out how to get ES to read the .xml files?

0 Karma

aliakseidzianis
Path Finder

If ES can pull the Hail a TAXII.com feed directly, why can't it pull FS-ISAC feed too? Why is there a need for Soltra in the middle?

The only obvious difference between hailataxxi and fs-isac is certificate that is required by fs-isac. Is it possible to implement it straight on ES without Soltra?

klaxdal
Contributor

That's a might big feed to pull .. without the Edge box in the middle to set boundaries on dates , times and IOC types you would be pulling quite a bit of data down .. and most of it extraneous .

0 Karma

aliakseidzianis
Path Finder

I agree, FS-ISAC feed it probably not the cleanest, however Soltra does not have more filtering functionality that Splunk does. If Splunk can handle other taxii feeds directly, why would FS-ISAC be different?

You are pulling the exact same feed from Soltra that you are pulling from FS-ISAC, right? Or is there an ability on Soltra to filter it down to a different feed before it is digested by Splunk?

0 Karma

klaxdal
Contributor

No not necessarily -

With FS-ISAC you set up your initial feed on their side at analysis.fsisac.com rather than system.default. from there set up an Edge box to pull your clean , "tuned" FS-ISAC feed local or near to your Splunk instance . This allows you to set date parameters for the pull as well - so your not pulling the whole repository back from 2014 - say just the last 6 months . One can also select which IOC types you want to bring into your Splunk environment .

Additionally on the Edge box that one has set up locally you can add hailataxxi, jigsaw, and Threat Actor as feeds and set parameters for each e.g. only poll the last 24hrs of data starting at a specific date , only pull this subset of IOCs from each STIX repository .

In my opinion much more malleable to point Splunk at feeds that one has control over ( especially not have to download no-applicable IOCs and or ones which are older than 6 months as that's a heck of a lot of data especially if one is searching for IOCs automatically across large data sets )

Just my 2 cents - your mileage my vary

Kristofer

0 Karma

klaxdal
Contributor

So yes - Soltra Edge 2.8.x allows you to filter down before you pull , parse and store into Mongo / Splunk ... not just the FS-ISCA feeds but all your STIX feeds .
I currently pull form 6 different STIX hubs so it is more than useful .

Kristofer

0 Karma

aliakseidzianis
Path Finder

That makes sense. Thanks Kristofer.

0 Karma

klaxdal
Contributor

If fact I would recommend the Edge Server between all of your feeds including Hailataxxi , jigsaw, and Threat Actor Lab - gives you a lot of control about what you bring in as a PROD Threat feed

0 Karma

austinparker
Explorer

I would think the user would be the user that the Splunk instance is running under, is it not, this user already has appropriate file level rights? The user I passed to Soltra should have been a soltra only user. Perhaps my logic is wrong on this?

0 Karma

austinparker
Explorer

I've had some success, but I'm still not quite there. At this point I'm not sure if I've passed the parameters wrong in splunk for if I've done it wrong on Soltra.

This is the message I get from Splunk in ES on the Threat Intelligence Audit

status="Retrieved documents from TAXII feed" count="0" stanza="Soltra Edge" collection="admin.IPWatchlist"

This is better than the error of being stuck on Polling which I had before.

Does this mean I've messed up creating a feed?

Thanks for your time.

0 Karma

klaxdal
Contributor

Austin ,

Make sure the user name ( in this case most likely "admin" judging by your feed name admin,IPWatchlist ) and the password are correct in Splunk and that the User ID has rights set up for the feed in Soltra .

Additionally can you post any relevant log output ? Log files are a must when trying to debug .

Kristofer

0 Karma

cdupuis123
Path Finder

ok this was a complete PITA from the work GO. klaxdal thanks a ton for pointing me in the right direction it was excatly what I was looking for. I still had a couple challenges like my Edge server decided to stop working on Oct 22, then I had the challenge if fighting the 2 factor cert within Edge. I had to hard code the username an password instead of using the cred manager in Splunk? I may try to back that off tomorrow as I was giddy to actually see data in Splunk ES....

0 Karma

klaxdal
Contributor

Alright ! If you need any help msg me .

0 Karma

amalkapuram
New Member

Thanks for your help. I see FSISAC data on Splunk Instance when I ssh into it, the feed got downloaded in ".xml" format. Now when I try to search for that data in Threat Activity or any other place I cant find it. How can I confirm that Splunk is able to parse and read this data?

Thanks in advance.

0 Karma

cdupuis123
Path Finder

NO! I have the edge server still running I've asked several folks on here, on Soltra, and even dug though the fsisac forums and asked an engineer there. I'm sure I have a config issue, but the documentation leaves me stranded. Let me know what you find as I'm to the point now of asking my pro-serve person to ask folks that he has run across!....

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...