Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Just updated to ES 6.4 and I need to edit a Threat Match Search

stroud_bc
Path Finder
‎02-03-2021 08:43 AM

I need to manipulate some fields in the URL threat match search in Splunk ES 6.4, but am at a loss as for how to do so. When viewing the SPL at ES-> Data Enrichment -> Threat Intelligence Management -> Threat Matching , any changes I make to the SPL are not saved, and when I grep for snippits of the threat match search in the splunk/etc directory, I can't find where they are stored. 

Our cloud-based web proxy logs does not include the protocol header in the URL field. Since the Web data model requires this and several of our custom threat intelligence sources include this, we need to bridge the gap in order to perform threat matches from the Web.url and Web.http_referrer fields against threat intelligence. Previously, I had directly edited the Threat - URL Matches - Threat Gen search included some eval statements just before the threat_intel lookups to make the Web.url field into an mvfield including the three protocol headers we see in our threat intelligence, then mvjoining them into one field for whitelisting later on. 

Here's my additions to the original threat gen search:

 

 

 

| eval url=mvappend("http://".url, "https://".url, "ftp://".url)
| extract domain_from_url 
| `threatintel_url_lookup(url)` 
| `threatintel_domain_lookup(url_domain)` 
| eval url=mvjoin(url, " ")

 

 

 

It wasn't the prettiest solution, but it was the only one we could come up with to get URL matches out of the Threat Intelligence framework. 

 

Since the old threat gen searches are deprecated, I replicated this effort with the code shown for the URL threat match search found at ES-> Data Enrichment -> Threat Intelligence Management -> Threat Matching 

 

 

 

    | eval Web.url=mvappend("http://".'Web.url', "https://".'Web.url', "ftp://".'Web.url') 
    | lookup "threatintel_by_url" value as "Web.url" OUTPUT threat_collection as tc0,threat_collection_key as tck0 
    | lookup "threatintel_by_url_wildcard" value as "Web.url" OUTPUT threat_collection as tc1,threat_collection_key as tck1 
    | eval Web.url=mvjoin('Web.url', " ")

 

 

 

However, I need to save my new version of the threat match search over the existing one. As stated above, I'm not sure how to do this. It seems like  the SPL shown at ES-> Data Enrichment -> Threat Intelligence Management -> Threat Matching  may be generated based on the various GUI options that are user-configurable. If this is the case, how can I ensure that my Web Proxy logs can be processed through the threat intelligence framework? 

Labels (2)
0 Karma
Reply

stroud_bc
Path Finder
‎02-16-2021 10:14 AM

I resolved this issue by editing the Lookup Gen searches instead. I created a new macro and invoked it twice in each Lookup Gen search, once for url and once for http_referrer (just before they get mvjoined together), and it now generates the URL threat intel lookups without the protocol headers, and things are matching up the way they need to.

rex field=$url$ "((?<url_protocol>[a-zA-Z]*:\/\/))?(?<$url$>.*)" | fields - url_protocol

Hope this helps if anyone else has the same issue.

 

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...