Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security IOC Information

Msugiyama
Path Finder
‎04-26-2021 11:43 PM

I was asked if IOC information from Splunk Enterprise Security could be used as a dataset.

For example, is it possible to use it as follows?
・ Call SplunkES IOC information with SPL and display a list
・ Detect SplunkES IOC information by comparing it with IPs or domains included in various logs.

And,What kind of IOC information does SplunkES have (IP address, UserAgent, domain information, etc.)? Can you tell me if there is a description somewhere?

Thank you.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

aasabatini
Motivator
‎04-28-2021 05:35 AM

Hi @Msugiyama 

Confirmation solution is appreciated

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

Msugiyama
Path Finder
‎04-28-2021 05:41 AM

thank you for information.

I'll try the API you taught me.
I have little knowledge of Splunk ES, so I am in the process of trial and error.
Also, if you have any concerns, I will psot a question.

best regards,

0 Karma
Reply

aasabatini
Motivator
‎04-27-2021 04:30 AM

Hi @Msugiyama 

I collected from my client the IOC information with this add-on

https://splunkbase.splunk.com/app/2964/

This add-on is developed directly from qualys and can collect the IOC info via rest api in JSON format.

Anyway the logs are not mapped on any Datamodel, you can use the set of IOC data on your enterprise security but you need to create a custom correlation searches.

  • Call SplunkES IOC information with SPL and display a listYes you can ingest and use SPL on IOC info
  •  Detect SplunkES IOC information by comparing it with IPs or domains included in various logs.Yes but you need to enrich your data with asset and indentity info on splunk ES

This is a example log, obviously I masked sensible info

action: ESTABLISHED
  asset: { [-]
    agentId: **********
    customerId: *****************
    fullOSName: Microsoft Windows 10 Enterprise 10.0.16299 Build 16299
    hostName: *************
    interfaces: [ [+]
    ]
    netBiosName:*********
    platform: Windows
    tags: [ [-]
      { [-]
        name: Cloud Agent
        uuid: ***********
      }
      { [-]
        name: ********************
        uuid: ************************
      }
      { [-]
        name: ****************************
        uuid: **************
      }
      { [-]
        name: ******************
        uuid: *****************
      }
      { [-]
        name: ************************
        uuid: **************************
      }
      { [-]
        name: *************************************
        uuid: *************************************
      }
      { [-]
        name: Microsoft Windows 10
        uuid: ******************************
      }
      { [-]
        name: Full Disk Encryption Software Detected
        uuid: *****************************************
      }
      { [-]
        name: Windows
        uuid: *************************************
      }
      { [-]
        name: ***************************************
        uuid: **************************************
      }
    ]
  }
  dateTime: **********
  eventProcessedTime: *************
  eventSource: ********
  id: ******************************************
  indicator2: [ [-]
    { [-]
      category: Trojan
      familyName: DameWare
      rowId: *****************
      score: 10
      sha256: **********************************************
      threatName: Win32.Trojan.DameWare
      verdict: MALICIOUS
    }
  ]
  network: { [-]
    localIP: ::
    localPort: ************
    protocol: UDP
    state: LISTENING
  }
  process: { [-]
    arguments: -service
    elevated: false
    fullPath: *************\DWRCS.EXE
    parentEventId: ******************************************
    parentPid: 420
    parentProcessName: services.exe
    pid: 4624
    processEventId: R*******************************************
    processFile: { [-]
      certificates: [ [-]
        { [-]
          certificateHash:************************************************
          certificateIssuedTo: SolarWinds, Inc.
          certificateIssuer: VeriSign Class 3 Code Signing 2010 CA
          certificateSigned: true
          certificateSignedDate: 2012-07-10T00:00:00.000+0000
          certificateValid: true
        }
      ]
      fullPath: C:\Windows\dwrcs\DWRCS.EXE
      md5: ********************************************
      moduleName: DWRCS.EXE
      path: C:\Windows\dwrcs
      sha256: ********************************************
      size: 721184
    }
    processName: DWRCS.EXE
    userName: NT AUTHORITY\SYSTEM
  }
  score: 10
  type: NETWORK
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...