I'm running Splunk Enterprise Security 4.0.1, and trying to import and match against Observables defined using Cybox Regex syntax and stored in a TAXII server. The Observables appear to be importing into ES, but I don't think they're being interpreted as Regular Expressions. Here's the relevant portion of one of the Observables. (I'd attach the whole file, but I apparently don't have enough Karma yet.)
<stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable id="NTRS:observable-fb042acb-2427-4c37-9515-cfdfa75aa344">
<cybox:Title>Email : ATTN: Invoice J-[0-9]{6,6}</cybox:Title>
<cybox:Description>Dridex email subject regex</cybox:Description>
<cybox:Object id="NTRS:Email-770c3cec-51dc-4ead-bae4-bc67bed66ae0">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:From xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value/>
</EmailMessageObj:From>
<EmailMessageObj:Subject pattern_type="Regex">ATTN: Invoice J-[0-9]{6,6}</EmailMessageObj:Subject>
<EmailMessageObj:User_Agent/>
<EmailMessageObj:X_Mailer/>
</EmailMessageObj:Header>
<EmailMessageObj:Email_Server/>
<EmailMessageObj:Raw_Body><![CDATA[]]></EmailMessageObj:Raw_Body>
<EmailMessageObj:Raw_Header><![CDATA[]]></EmailMessageObj:Raw_Header>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
Is this something that's supposed to work, or can be made to?
Thanks
John
ES' Threat Intelligence currently doesn't support regular expression patterns.
Hey Luke - long time no talk. I didn't know you were over at Splunk now. Do you know if this is functionality that's currently on the roadmap?
Thanks
John
It isn't yet. I initiated a discussion with PM and the engineer who wrote it in order to determine how feasible it is.
Awesome! I think this can make a huge difference, as a lot of useful indicators can't be accurately described without this sort of capability.
Thanks a ton, and let me know what gets decided.
John
It's been almost two months... Any update?