Splunk Enterprise Security

Splunk ES issue

So76
Explorer

Need help on enterprise security. Is there a way to create a standard TAXII Parser that can do correlation searches of logs coming from Maritime Transportation System ISAC & logs coming from Stash. New to ES and have no idea what's all about. See the issue below, If it'll help. Please advise and help, on what's needed to be done. I am very new to ES. Thanks

 

"A shipping company that gets Intelligence feeds/reports from MTS-ISAC (Maritime Transportation System ISAC)
The MTS-ISAC provides proactive cyber threat intelligence, alerts, warnings, and vulnerability information cultivated from maritime stakeholders and public and private sector shares, open-source intelligence, and cybersecurity news

So it's just a matter of parsing that information so Matson can do correlation searches (correlate it with logs) that are currently coming from Stash"

 

0 Karma
1 Solution

tscroggins
Influencer

@So76 

Splunk Enterprise Security threat intelligence works with TAXII feeds directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Downloadthreatfeed#Add_a_TAXII_feed. You can also upload STIX content directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Uploadthreatfile.

This presentation provides a good overview of the threat intelligence framework: https://conf.splunk.com/files/2017/slides/enterprise-security-biology-dissecting-the-splunk-enterpri....

After adding and enabling TAXII sources, data is parsed and added to an appropriate KV store collection.

A series of threatmatch modular inputs checks CIM data models for matches against threat intelligence. For example, the "url" input looks for threats in the Web data model.

Matches are collected in the threat_activity index and summarized by the Threat Activity data model.

A single correlation search, Threat - Threat List Activity - Rule, creates a notable event when new threat matches are detected.

You'll need to complete three high level steps:

1. Add and enable the MTS-ISAC TAXII feed.
2. Normalize your logs to the appropriate CIM data models, possibly through an existing add-on, and ideally, accelerate the data models.
3. Enable the Threat - Threat List Activity - Rule correlation search.

View solution in original post

0 Karma

tscroggins
Influencer

@So76 

Splunk Enterprise Security threat intelligence works with TAXII feeds directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Downloadthreatfeed#Add_a_TAXII_feed. You can also upload STIX content directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Uploadthreatfile.

This presentation provides a good overview of the threat intelligence framework: https://conf.splunk.com/files/2017/slides/enterprise-security-biology-dissecting-the-splunk-enterpri....

After adding and enabling TAXII sources, data is parsed and added to an appropriate KV store collection.

A series of threatmatch modular inputs checks CIM data models for matches against threat intelligence. For example, the "url" input looks for threats in the Web data model.

Matches are collected in the threat_activity index and summarized by the Threat Activity data model.

A single correlation search, Threat - Threat List Activity - Rule, creates a notable event when new threat matches are detected.

You'll need to complete three high level steps:

1. Add and enable the MTS-ISAC TAXII feed.
2. Normalize your logs to the appropriate CIM data models, possibly through an existing add-on, and ideally, accelerate the data models.
3. Enable the Threat - Threat List Activity - Rule correlation search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...