Splunk Enterprise Security

Splunk Enterprise Security: Some dashboards are populated with data, but why not the Threat Activity dashboard?

Engager

The treat activity dashboard won't populate in the Splunk Enterprise Security app, although other dashboards (not all) are populated like the protocol center, useragent, url length.

I created a list with some malicious ip's and urls's (bro logs)
Threat list CSVs are populated in the splunk folder.

When I do | inputlookup threatlist_lookup_by_cidr it returns no results.

It seems to be that the data indexed good and splunk can create the datamodels. because i can do a searches against the data models.

The threat_Activity datamodel keeps standing on building. I assume that's correct?

Someone knows a solution on how to get the treat activity dashboard populated?

0 Karma

SplunkTrust
SplunkTrust

If the Threat datamodel hasn't completed acceleration, the Threat Activity dashboard is unlikely to show any/complete results because the tstats commands used to populate the panes only searches against summarised data by default.

Engager

alright, but the data model keep saying building... There is an asset list, data indexed, i tagged the data according to CIM. So i don't understand why some are 100% and some keep saying building.

Seems to me something is going wrong with calculating and extracting the fields for the event objects for the treat activty data model (derived fields from Asset and Identity correlation), but i can't figure out what.

0 Karma

SplunkTrust
SplunkTrust

The Threat_Activity datamodel object used by that dashboard is constrained by: index=threat_activity

Could you please search index=threat_activity for all time to see if anything is in that index.

0 Karma

Engager

of course! i did the search for all time and it returned no results.

Thanks in advance!

0 Karma

Engager

hmm.. the problem is with the TA from bro. Because i indexed some other IDS data and now the data model will build and the dashboard is showing matched ioc's 🙂 only have to figure out where exactly it went wrong with the bro data.

0 Karma

SplunkTrust
SplunkTrust

If the issue is related to the bro TA, its CIM tagged eventtypes use searches based upon bro sourcetypes and those sourcetypes are assigned dynamically at index-time based upon the name of the file being ingested. So if the bro events aren't ending up the datamodels you're expecting, there's two things to check: the index-time props/transforms for bro are on the indexers/heavy forwarders cooking your bro events and that the expected filenames (conn.log, bro.conn.log, md5.bro.conn.log, etc.) match the actual names of the files being ingested causing the events to be correctly sourcetyped.

Hope this helps, but it's quite difficult to diagnose without intimate knowledge of your environment. If you can't sort it out, I would certainly open a support case.

0 Karma

Engager

i think it is related to the bro TA app because i indexed soms mcafee ids data (eventgen) and the threat activity dashboard matches some data with known IOC's. i know the Bro TA support bro 2.2 and 2.3 and we use internal 2.4 so i had to create some aliassas so there must be a wrong configuration somewhere.. i still gonna try to found out where the problem is.

Thanks a lot for your help and input! if i found out what the empty dashboard caused i will post it 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!