Splunk Enterprise Security

Why is "Threat file_intel" not capturing hash values from the Splunk search result?

sayantabasak
Explorer

Hello,

I wanted to reach out to you for assistance on Splunk ES threat_intel searches.

Objective:
We have endpoint security logs coming on to our Splunk with file hash values. We want these hash values to match against our threat intel feeds(local/downloaded) and flag them as part ThreatActivityDetected search

Action taken:
We have picked up some of the most noisy hash values and updated them in the local threat file_intel CSV in order test for a positive match.

Observation:
Our threat logs are getting fed into the malware datamodel and "local threat file_intel" holds the hash we uploaded manually. But, we do not see these matching as part of the threat intelligence datamodel. We assumed the threat collect search would pick up any matching hash(with the threat intel data) in search data, but it did not.

Note: We do see the matching data as part of below sample search which is CIM complaint =====>

|datamodel Malware Malware_Attacks search | `file_intel` | search file_hash = our hash value

but somehow threat intel is unable to capture it and flag it.

Is there any threat collect search i need to edit?

Any leads on solving this would be appreciated.

Regards

Suirand1
Explorer

I am in the same situation. Endpoint filesystem datamodel has file_hash and file_name values. I do see those values uploaded to Threat artifacts dashboard succesfully. However threatintell is not hitting it for some reason. Any help would be apreciated.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...