Splunk Enterprise Security

Threat intelligence feeds update

new2spl_unk
Explorer

Hi All,

Recently, I installed MISP42Splunk in my environment  in order to integrate MISP with Splunk. Below is the workflow on how I tried to do this. 

1. Pull IOC from MISP and outputlookup to a csv. 

2. Use SPL to format the CSV 

3. outputlookup to xxx_intel like  ip_intel, email_intel. 

But seems like the "threat - gen" search didn't use the updated IOC. May I know if I am doing anything wrong? and how to do it correctly. Thanks. 

 

 

 

Labels (2)
0 Karma

new2spl_unk
Explorer

Is that mean if I can search that IOC on Threat Artifacts no matter the threat_group and threat_category  is undefined or not, the rules is fine? 

0 Karma

General_Talos
Path Finder

Wanted to check if you validated same in

ES APP >> Security Intelligence >> Threat Artifacts

or try this search

| inputlookup append=T service_intel where * 
| `set_threat_collection_name("service_intel")` 
| eval file_name=mvappend(service_file_name,service_dll_file_name), file_path=mvappend(service_file_path, service_dll_file_path), file_hash=mvappend(service_file_hash, service_dll_file_hash) 
| inputlookup append=T process_intel where * 
| `set_threat_collection_name("process_intel")` 
| eval ip=mvappend(src, dest), domain=mvappend(src, dest) 
| inputlookup append=T file_intel where * 
| `set_threat_collection_name("file_intel")` 
| inputlookup append=T certificate_intel where * 
| `set_threat_collection_name("certificate_intel")` 
| mvexpand certificate_serial 
| `get_certificate_serial` 
| eventstats values(certificate_serial) as certificate_serial,values(certificate_serial_clean) as certificate_serial_clean,values(certificate_serial_dec) as certificate_serial_dec by _key 
| dedup _key,threat_collection 
| inputlookup append=T email_intel where * 
| `set_threat_collection_name("email_intel")` 
| inputlookup append=T http_intel where * 
| `set_threat_collection_name("http_intel")` 
| inputlookup append=T ip_intel where * 
| `set_threat_collection_name("ip_intel")` 
| inputlookup append=T registry_intel where * 
| `set_threat_collection_name("registry_intel")` 
| inputlookup append=T user_intel where * 
| fillnull value=0 updated,disabled 
| `set_threat_collection_name("user_intel")` 
| eval file_hash=coalesce(certificate_file_hash,file_hash), src_user=coalesce(certificate_issuer_email,src_user), actual_src_user=coalesce(certificate_subject_email,actual_src_user), ip=coalesce(embedded_ip,ip), domain=coalesce(embedded_domain,domain), file_name=coalesce(process_file_name,file_name), file_path=coalesce(process_file_path,file_path) 
| stats dc(file_hash) as file_hash_count, dc(file_name) as file_name_count, dc(certificate_serial) as certificate_serial_count, dc(certificate_issuer_common_name) as certificate_issuer_common_name_count, dc(src_user) as src_user_count, dc(certificate_issuer_organization) as certificate_issuer_organization_count, dc(certificate_issuer_unit) as certificate_issuer_unit_count, dc(certificate_subject_common_name) as certificate_subject_common_name_count, dc(actual_src_user) as actual_src_user_count, dc(certificate_subject_organization) as certificate_subject_organization_count, dc(certificate_subject_unit) as certificate_subject_unit_count, dc(ip) as ip_count, dc(domain) as domain_count, dc(subject) as subject_count, dc(http_user_agent) as http_user_agent_count, dc(http_referrer) as http_referrer_count, dc(url) as url_count, dc(header) as header_count, dc(process) as process_count, dc(process_handle_name) as process_handle_name_count, dc(registry_path) as registry_path_count, dc(registry_value_name) as registry_value_name_count, dc(registry_value_text) as registry_value_text_count, dc(service) as service_count, dc(user) as user_count by threat_key 
| `get_threat_attribution(threat_key)` 
| search 
| addtotals fieldname=count *_count 
| fields source_id, source_path, source_type, threat_group, threat_category, malware_alias, count 
| sort + threat_group, threat_category, - count
0 Karma

new2spl_unk
Explorer

Thanks for your response. I picked 1 of the IOC in the list and tried to search on Threat Artifacts which can be found. But both threat_group and threat_category is undefined. May I know if it will cause any problem?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.