- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Splunk Enterprise Security 4.0.1: How to import TA...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise Security 4.0.1: How to import TAXII Observables defined Using Cybox Regex Syntax?
I'm running Splunk Enterprise Security 4.0.1, and trying to import and match against Observables defined using Cybox Regex syntax and stored in a TAXII server. The Observables appear to be importing into ES, but I don't think they're being interpreted as Regular Expressions. Here's the relevant portion of one of the Observables. (I'd attach the whole file, but I apparently don't have enough Karma yet.)
<stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable id="NTRS:observable-fb042acb-2427-4c37-9515-cfdfa75aa344">
<cybox:Title>Email : ATTN: Invoice J-[0-9]{6,6}</cybox:Title>
<cybox:Description>Dridex email subject regex</cybox:Description>
<cybox:Object id="NTRS:Email-770c3cec-51dc-4ead-bae4-bc67bed66ae0">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:From xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value/>
</EmailMessageObj:From>
<EmailMessageObj:Subject pattern_type="Regex">ATTN: Invoice J-[0-9]{6,6}</EmailMessageObj:Subject>
<EmailMessageObj:User_Agent/>
<EmailMessageObj:X_Mailer/>
</EmailMessageObj:Header>
<EmailMessageObj:Email_Server/>
<EmailMessageObj:Raw_Body><![CDATA[]]></EmailMessageObj:Raw_Body>
<EmailMessageObj:Raw_Header><![CDATA[]]></EmailMessageObj:Raw_Header>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
Is this something that's supposed to work, or can be made to?
Thanks
John
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ES' Threat Intelligence currently doesn't support regular expression patterns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Luke - long time no talk. I didn't know you were over at Splunk now. Do you know if this is functionality that's currently on the roadmap?
Thanks
John
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It isn't yet. I initiated a discussion with PM and the engineer who wrote it in order to determine how feasible it is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! I think this can make a huge difference, as a lot of useful indicators can't be accurately described without this sort of capability.
Thanks a ton, and let me know what gets decided.
John
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's been almost two months... Any update?
New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...
Improve Data Pipelines Using Splunk Data Management
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
