Splunk Enterprise Security

Just updated to ES 6.4 and I need to edit a Threat Match Search

stroud_bc
Path Finder

I need to manipulate some fields in the URL threat match search in Splunk ES 6.4, but am at a loss as for how to do so. When viewing the SPL at ES-> Data Enrichment -> Threat Intelligence Management -> Threat Matching , any changes I make to the SPL are not saved, and when I grep for snippits of the threat match search in the splunk/etc directory, I can't find where they are stored. 

Our cloud-based web proxy logs does not include the protocol header in the URL field. Since the Web data model requires this and several of our custom threat intelligence sources include this, we need to bridge the gap in order to perform threat matches from the Web.url and Web.http_referrer fields against threat intelligence. Previously, I had directly edited the Threat - URL Matches - Threat Gen search included some eval statements just before the threat_intel lookups to make the Web.url field into an mvfield including the three protocol headers we see in our threat intelligence, then mvjoining them into one field for whitelisting later on. 

Here's my additions to the original threat gen search:

 

 

 

| eval url=mvappend("http://".url, "https://".url, "ftp://".url)
| extract domain_from_url 
| `threatintel_url_lookup(url)` 
| `threatintel_domain_lookup(url_domain)` 
| eval url=mvjoin(url, " ")

 

 

 

It wasn't the prettiest solution, but it was the only one we could come up with to get URL matches out of the Threat Intelligence framework. 

 

Since the old threat gen searches are deprecated, I replicated this effort with the code shown for the URL threat match search found at ES-> Data Enrichment -> Threat Intelligence Management -> Threat Matching 

 

 

 

    | eval Web.url=mvappend("http://".'Web.url', "https://".'Web.url', "ftp://".'Web.url') 
    | lookup "threatintel_by_url" value as "Web.url" OUTPUT threat_collection as tc0,threat_collection_key as tck0 
    | lookup "threatintel_by_url_wildcard" value as "Web.url" OUTPUT threat_collection as tc1,threat_collection_key as tck1 
    | eval Web.url=mvjoin('Web.url', " ") 

 

 

 

However, I need to save my new version of the threat match search over the existing one. As stated above, I'm not sure how to do this. It seems like  the SPL shown at ES-> Data Enrichment -> Threat Intelligence Management -> Threat Matching  may be generated based on the various GUI options that are user-configurable. If this is the case, how can I ensure that my Web Proxy logs can be processed through the threat intelligence framework? 

Labels (2)
0 Karma

stroud_bc
Path Finder

I resolved this issue by editing the Lookup Gen searches instead. I created a new macro and invoked it twice in each Lookup Gen search, once for url and once for http_referrer (just before they get mvjoined together), and it now generates the URL threat intel lookups without the protocol headers, and things are matching up the way they need to.

rex field=$url$ "((?<url_protocol>[a-zA-Z]*:\/\/))?(?<$url$>.*)" | fields - url_protocol

Hope this helps if anyone else has the same issue.

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...