Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Enterprise Security
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Threat intelligence feeds update
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Threat intelligence feeds update
new2spl_unk
Explorer
01-12-2021
12:34 AM
Hi All,
Recently, I installed MISP42Splunk in my environment in order to integrate MISP with Splunk. Below is the workflow on how I tried to do this.
1. Pull IOC from MISP and outputlookup to a csv.
2. Use SPL to format the CSV
3. outputlookup to xxx_intel like ip_intel, email_intel.
But seems like the "threat - gen" search didn't use the updated IOC. May I know if I am doing anything wrong? and how to do it correctly. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
new2spl_unk
Explorer
01-14-2021
12:48 AM
Is that mean if I can search that IOC on Threat Artifacts no matter the threat_group and threat_category is undefined or not, the rules is fine?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
General_Talos
Path Finder
01-12-2021
01:20 AM
Wanted to check if you validated same in
ES APP >> Security Intelligence >> Threat Artifacts
or try this search
| inputlookup append=T service_intel where *
| `set_threat_collection_name("service_intel")`
| eval file_name=mvappend(service_file_name,service_dll_file_name), file_path=mvappend(service_file_path, service_dll_file_path), file_hash=mvappend(service_file_hash, service_dll_file_hash)
| inputlookup append=T process_intel where *
| `set_threat_collection_name("process_intel")`
| eval ip=mvappend(src, dest), domain=mvappend(src, dest)
| inputlookup append=T file_intel where *
| `set_threat_collection_name("file_intel")`
| inputlookup append=T certificate_intel where *
| `set_threat_collection_name("certificate_intel")`
| mvexpand certificate_serial
| `get_certificate_serial`
| eventstats values(certificate_serial) as certificate_serial,values(certificate_serial_clean) as certificate_serial_clean,values(certificate_serial_dec) as certificate_serial_dec by _key
| dedup _key,threat_collection
| inputlookup append=T email_intel where *
| `set_threat_collection_name("email_intel")`
| inputlookup append=T http_intel where *
| `set_threat_collection_name("http_intel")`
| inputlookup append=T ip_intel where *
| `set_threat_collection_name("ip_intel")`
| inputlookup append=T registry_intel where *
| `set_threat_collection_name("registry_intel")`
| inputlookup append=T user_intel where *
| fillnull value=0 updated,disabled
| `set_threat_collection_name("user_intel")`
| eval file_hash=coalesce(certificate_file_hash,file_hash), src_user=coalesce(certificate_issuer_email,src_user), actual_src_user=coalesce(certificate_subject_email,actual_src_user), ip=coalesce(embedded_ip,ip), domain=coalesce(embedded_domain,domain), file_name=coalesce(process_file_name,file_name), file_path=coalesce(process_file_path,file_path)
| stats dc(file_hash) as file_hash_count, dc(file_name) as file_name_count, dc(certificate_serial) as certificate_serial_count, dc(certificate_issuer_common_name) as certificate_issuer_common_name_count, dc(src_user) as src_user_count, dc(certificate_issuer_organization) as certificate_issuer_organization_count, dc(certificate_issuer_unit) as certificate_issuer_unit_count, dc(certificate_subject_common_name) as certificate_subject_common_name_count, dc(actual_src_user) as actual_src_user_count, dc(certificate_subject_organization) as certificate_subject_organization_count, dc(certificate_subject_unit) as certificate_subject_unit_count, dc(ip) as ip_count, dc(domain) as domain_count, dc(subject) as subject_count, dc(http_user_agent) as http_user_agent_count, dc(http_referrer) as http_referrer_count, dc(url) as url_count, dc(header) as header_count, dc(process) as process_count, dc(process_handle_name) as process_handle_name_count, dc(registry_path) as registry_path_count, dc(registry_value_name) as registry_value_name_count, dc(registry_value_text) as registry_value_text_count, dc(service) as service_count, dc(user) as user_count by threat_key
| `get_threat_attribution(threat_key)`
| search
| addtotals fieldname=count *_count
| fields source_id, source_path, source_type, threat_group, threat_category, malware_alias, count
| sort + threat_group, threat_category, - count- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
new2spl_unk
Explorer
01-20-2021
12:57 AM
Thanks for your response. I picked 1 of the IOC in the list and tried to search on Threat Artifacts which can be found. But both threat_group and threat_category is undefined. May I know if it will cause any problem?
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
