Splunk Enterprise Security

Splunk ES issue

So76
Explorer

Need help on enterprise security. Is there a way to create a standard TAXII Parser that can do correlation searches of logs coming from Maritime Transportation System ISAC & logs coming from Stash. New to ES and have no idea what's all about. See the issue below, If it'll help. Please advise and help, on what's needed to be done. I am very new to ES. Thanks

 

"A shipping company that gets Intelligence feeds/reports from MTS-ISAC (Maritime Transportation System ISAC)
The MTS-ISAC provides proactive cyber threat intelligence, alerts, warnings, and vulnerability information cultivated from maritime stakeholders and public and private sector shares, open-source intelligence, and cybersecurity news

So it's just a matter of parsing that information so Matson can do correlation searches (correlate it with logs) that are currently coming from Stash"

 

0 Karma
1 Solution

tscroggins
Influencer

@So76 

Splunk Enterprise Security threat intelligence works with TAXII feeds directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Downloadthreatfeed#Add_a_TAXII_feed. You can also upload STIX content directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Uploadthreatfile.

This presentation provides a good overview of the threat intelligence framework: https://conf.splunk.com/files/2017/slides/enterprise-security-biology-dissecting-the-splunk-enterpri....

After adding and enabling TAXII sources, data is parsed and added to an appropriate KV store collection.

A series of threatmatch modular inputs checks CIM data models for matches against threat intelligence. For example, the "url" input looks for threats in the Web data model.

Matches are collected in the threat_activity index and summarized by the Threat Activity data model.

A single correlation search, Threat - Threat List Activity - Rule, creates a notable event when new threat matches are detected.

You'll need to complete three high level steps:

1. Add and enable the MTS-ISAC TAXII feed.
2. Normalize your logs to the appropriate CIM data models, possibly through an existing add-on, and ideally, accelerate the data models.
3. Enable the Threat - Threat List Activity - Rule correlation search.

View solution in original post

0 Karma

tscroggins
Influencer

@So76 

Splunk Enterprise Security threat intelligence works with TAXII feeds directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Downloadthreatfeed#Add_a_TAXII_feed. You can also upload STIX content directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Uploadthreatfile.

This presentation provides a good overview of the threat intelligence framework: https://conf.splunk.com/files/2017/slides/enterprise-security-biology-dissecting-the-splunk-enterpri....

After adding and enabling TAXII sources, data is parsed and added to an appropriate KV store collection.

A series of threatmatch modular inputs checks CIM data models for matches against threat intelligence. For example, the "url" input looks for threats in the Web data model.

Matches are collected in the threat_activity index and summarized by the Threat Activity data model.

A single correlation search, Threat - Threat List Activity - Rule, creates a notable event when new threat matches are detected.

You'll need to complete three high level steps:

1. Add and enable the MTS-ISAC TAXII feed.
2. Normalize your logs to the appropriate CIM data models, possibly through an existing add-on, and ideally, accelerate the data models.
3. Enable the Threat - Threat List Activity - Rule correlation search.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...