Hi Splunkers,
I would like to know how to use threat feed which I have added using threat intelligence downloads in Enterprise Security.
I have added dell secure attack DB and this is URL where I can fetch data using configure->Data Enrichment-> Threat Intelligence Downloads.
I am able to see the status of downloading of the data from the above URL by walking Audit-> Threat Intelligence Audit. and It is downloaded successfully and I can see the data under $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel also.
I would like to lookup the data which is in the file downloaded from the URL with my organization data.
Kindly let me know how to do that and I would like to create alerts for that if anything matches the data which is resided in the threat feed downloaded from dell.
Thanks in advance.
your response would be very much appreciated.
Hello @Thambisetty_balaji
The threat intel framework in ES will write to different lookups/collections depending on the type of data contained in your source intel. Those lookups are like any other lookup in Splunk, so you should be able to run any of the following (note the back ticks, these are macros to lookup commands):
| `service_intel`
| `process_intel`
| `file_intel`
| `registry_intel`
| `user_intel`
| `email_intel`
| `certificate_intel`
| `ip_intel`
Those each relate to a specific threat intel collection based on its category. The most common intel we normally see are IP addresses and domains (in the ip_intel collection), but without knowing your source data I can't tell you what collections its writing to. That said you can also use the "Advanced Threat>Threat Artifacts" page in ES to narrow down and see what collections your intel is populating (there's even a handy drop down menu where you can select the source you created).
Also, matching is also already done for you in a few correlation rules already, but if you build more you should share them with the community.
Hello @Thambisetty_balaji
The threat intel framework in ES will write to different lookups/collections depending on the type of data contained in your source intel. Those lookups are like any other lookup in Splunk, so you should be able to run any of the following (note the back ticks, these are macros to lookup commands):
| `service_intel`
| `process_intel`
| `file_intel`
| `registry_intel`
| `user_intel`
| `email_intel`
| `certificate_intel`
| `ip_intel`
Those each relate to a specific threat intel collection based on its category. The most common intel we normally see are IP addresses and domains (in the ip_intel collection), but without knowing your source data I can't tell you what collections its writing to. That said you can also use the "Advanced Threat>Threat Artifacts" page in ES to narrow down and see what collections your intel is populating (there's even a handy drop down menu where you can select the source you created).
Also, matching is also already done for you in a few correlation rules already, but if you build more you should share them with the community.
Thanks for your support. it is working fine now.
I have another problem. I would like to skip header as the file type csv which is downloading headers.
I set the value to 1 for skip header still I am seeing headers in my threat data.
Please help me out.
Hi Balaji, whether u were able to sort this out? I am having similar issue. Also, whether your Enterprise Security is installed on Search Head cluster?
Yes, I was able to sort this out. my search head is not in search head cluster.
Thanks kchamplin for your swift response.
I could not see not my threat feed under "Advanced Threat -> Threat Artifacts" but i am able to see the csv file under
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel.
The file contains 8 fields watchlist,domain(IP), country,latitude,threat,reason.
I would like to see csv file like how we see in splunk by using "|inputlookup csvfile.csv"
Nothing is displayed when ran ip_intel
.
Threat intelligence download will download data for every 12 hours and it's not accumulating, it is replacing file instead.
Thanks again,
probably you need to try to run like this
| inputlookup ip_intel
for your organisation firewall
index=firewall[| inputlookup ip_intel]
Depending on how the data is formatted, my guess is that the framework is not able to match your fields to the field names required by each collection. In the input page for the threat intelligence download you will likely need to set the following:
Delimiting Regular Expression: leave this blank
Extracting Regular Expression: you will need to create capture groups for each field needed by the threat intel framework - for example (\d{1,3}.\d{1,3}.\d{1,3.}\d{1,3}) would be a way to extract an IP address...
Fields: you then map your capture groups to the field names in the framework - for example ip:"$1",description:"Dell Threat" that will map that previous field extraction to $1 and to the IP field name for the framework.
Once this is set up, the framework will be able to then parse the data appropriately and write to a collection. That will then all you to use inputlookup but it will be
|inputlookup ip_intel