Splunk Enterprise Security

Threat intelligence feeds update

new2spl_unk
Explorer

Hi All,

Recently, I installed MISP42Splunk in my environment  in order to integrate MISP with Splunk. Below is the workflow on how I tried to do this. 

1. Pull IOC from MISP and outputlookup to a csv. 

2. Use SPL to format the CSV 

3. outputlookup to xxx_intel like  ip_intel, email_intel. 

But seems like the "threat - gen" search didn't use the updated IOC. May I know if I am doing anything wrong? and how to do it correctly. Thanks. 

 

 

 

Labels (2)
0 Karma

new2spl_unk
Explorer

Is that mean if I can search that IOC on Threat Artifacts no matter the threat_group and threat_category  is undefined or not, the rules is fine? 

0 Karma

General_Talos
Path Finder

Wanted to check if you validated same in

ES APP >> Security Intelligence >> Threat Artifacts

or try this search

| inputlookup append=T service_intel where * 
| `set_threat_collection_name("service_intel")` 
| eval file_name=mvappend(service_file_name,service_dll_file_name), file_path=mvappend(service_file_path, service_dll_file_path), file_hash=mvappend(service_file_hash, service_dll_file_hash) 
| inputlookup append=T process_intel where * 
| `set_threat_collection_name("process_intel")` 
| eval ip=mvappend(src, dest), domain=mvappend(src, dest) 
| inputlookup append=T file_intel where * 
| `set_threat_collection_name("file_intel")` 
| inputlookup append=T certificate_intel where * 
| `set_threat_collection_name("certificate_intel")` 
| mvexpand certificate_serial 
| `get_certificate_serial` 
| eventstats values(certificate_serial) as certificate_serial,values(certificate_serial_clean) as certificate_serial_clean,values(certificate_serial_dec) as certificate_serial_dec by _key 
| dedup _key,threat_collection 
| inputlookup append=T email_intel where * 
| `set_threat_collection_name("email_intel")` 
| inputlookup append=T http_intel where * 
| `set_threat_collection_name("http_intel")` 
| inputlookup append=T ip_intel where * 
| `set_threat_collection_name("ip_intel")` 
| inputlookup append=T registry_intel where * 
| `set_threat_collection_name("registry_intel")` 
| inputlookup append=T user_intel where * 
| fillnull value=0 updated,disabled 
| `set_threat_collection_name("user_intel")` 
| eval file_hash=coalesce(certificate_file_hash,file_hash), src_user=coalesce(certificate_issuer_email,src_user), actual_src_user=coalesce(certificate_subject_email,actual_src_user), ip=coalesce(embedded_ip,ip), domain=coalesce(embedded_domain,domain), file_name=coalesce(process_file_name,file_name), file_path=coalesce(process_file_path,file_path) 
| stats dc(file_hash) as file_hash_count, dc(file_name) as file_name_count, dc(certificate_serial) as certificate_serial_count, dc(certificate_issuer_common_name) as certificate_issuer_common_name_count, dc(src_user) as src_user_count, dc(certificate_issuer_organization) as certificate_issuer_organization_count, dc(certificate_issuer_unit) as certificate_issuer_unit_count, dc(certificate_subject_common_name) as certificate_subject_common_name_count, dc(actual_src_user) as actual_src_user_count, dc(certificate_subject_organization) as certificate_subject_organization_count, dc(certificate_subject_unit) as certificate_subject_unit_count, dc(ip) as ip_count, dc(domain) as domain_count, dc(subject) as subject_count, dc(http_user_agent) as http_user_agent_count, dc(http_referrer) as http_referrer_count, dc(url) as url_count, dc(header) as header_count, dc(process) as process_count, dc(process_handle_name) as process_handle_name_count, dc(registry_path) as registry_path_count, dc(registry_value_name) as registry_value_name_count, dc(registry_value_text) as registry_value_text_count, dc(service) as service_count, dc(user) as user_count by threat_key 
| `get_threat_attribution(threat_key)` 
| search 
| addtotals fieldname=count *_count 
| fields source_id, source_path, source_type, threat_group, threat_category, malware_alias, count 
| sort + threat_group, threat_category, - count
0 Karma

new2spl_unk
Explorer

Thanks for your response. I picked 1 of the IOC in the list and tried to search on Threat Artifacts which can be found. But both threat_group and threat_category is undefined. May I know if it will cause any problem?

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...