Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security 4.0.1: How to import TAXII Observables defined Using Cybox Regex Syntax?

johnmccash
Explorer
‎02-17-2016 01:43 PM

I'm running Splunk Enterprise Security 4.0.1, and trying to import and match against Observables defined using Cybox Regex syntax and stored in a TAXII server. The Observables appear to be importing into ES, but I don't think they're being interpreted as Regular Expressions. Here's the relevant portion of one of the Observables. (I'd attach the whole file, but I apparently don't have enough Karma yet.)

<stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="NTRS:observable-fb042acb-2427-4c37-9515-cfdfa75aa344">
        <cybox:Title>Email : ATTN: Invoice J-[0-9]{6,6}</cybox:Title>
        <cybox:Description>Dridex email subject regex</cybox:Description>
        <cybox:Object id="NTRS:Email-770c3cec-51dc-4ead-bae4-bc67bed66ae0">
            <cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
                <EmailMessageObj:Header>
                    <EmailMessageObj:From xsi:type="AddressObj:AddressObjectType" category="e-mail">
                        <AddressObj:Address_Value/>
                    </EmailMessageObj:From>
                    <EmailMessageObj:Subject pattern_type="Regex">ATTN: Invoice J-[0-9]{6,6}</EmailMessageObj:Subject>
                    <EmailMessageObj:User_Agent/>
                    <EmailMessageObj:X_Mailer/>
                </EmailMessageObj:Header>
                <EmailMessageObj:Email_Server/>
                <EmailMessageObj:Raw_Body><![CDATA[]]></EmailMessageObj:Raw_Body>
                <EmailMessageObj:Raw_Header><![CDATA[]]></EmailMessageObj:Raw_Header>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</stix:Observables>

Is this something that's supposed to work, or can be made to?

Thanks
John

Reply

LukeMurphey
Champion
‎02-17-2016 02:17 PM

ES' Threat Intelligence currently doesn't support regular expression patterns.

0 Karma
Reply

johnmccash
Explorer
‎02-18-2016 11:12 AM

Hey Luke - long time no talk. I didn't know you were over at Splunk now. Do you know if this is functionality that's currently on the roadmap?
Thanks
John

0 Karma
Reply

LukeMurphey
Champion
‎02-19-2016 10:58 AM

It isn't yet. I initiated a discussion with PM and the engineer who wrote it in order to determine how feasible it is.

0 Karma
Reply

johnmccash
Explorer
‎02-29-2016 07:34 AM

Awesome! I think this can make a huge difference, as a lot of useful indicators can't be accurately described without this sort of capability.
Thanks a ton, and let me know what gets decided.
John

0 Karma
Reply

johnmccash
Explorer
‎04-15-2016 08:08 AM

It's been almost two months... Any update?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...