Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert splunk event to stix 2.1 json

ting00525
New Member
‎12-18-2023 05:55 AM

How to convert splunk event to stix 2.1 json

because i think to  connection to a soc center

now i use splunk enterprise

how can i do ?

any app can convert?

Labels (1)
Labels
0 Karma
Reply

dtburrows3
Builder
‎12-18-2023 08:00 AM

You should be able to utilize built in Splunk JSON commands and/or JSON functions to build out valid STIX 2.1 objects from Splunk events.

Here is some sample SPL to give you an example of how to build out the json from individual fields in Splunk.

| makeresults
    | fields - _time
    ``` gen properties data ```
    | eval 
        enum=split("attack-pattern|campaign", "|"),
        description="The type of this object, which MUST be the literal `attack-pattern`.",
        type="string"
    | tojson str(enum) str(type) str(description) output_field=properties
    | fields - enum, type, description
    ``` gen ID data ```
    | eval
        title="id",
        pattern="^attack-pattern--"
    | tojson str(title) str(pattern) output_field=id
    | fields - title, pattern
    ``` gen Name data ```
    | eval
        type="string",
        description="The name used to identify the Attack Pattern."
    | tojson str(type) str(description) output_field=name
    | fields - type, description
    ``` gen description data ```
    | eval
        type="string",
        description="A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics."
    | tojson str(type) str(description) output_field=description
    | fields - type, description
    ``` gen kill_chain_phases data ```
    | eval
        "$ref"="../common/kill-chain-phase.json"
    | tojson str($ref) output_field=items
    | fields - "$ref"
    | eval
        type="array",
        description="The list of kill chain phases for which this attack pattern is used.",
        minItems=1
    | tojson str(type) str(description) json(items) num(minItems) output_field=kill_chain_phases
    | fields - minItems, items, description, type
    | tojson json(properties) json(type) json(id) json(name) json(description) json(kill_chain_phases) output_field=allOf
    | fields - properties, type, id, name, description, kill_chain_phases
    | eval
        ref="../common/core.json"
    | tojson str(ref) output_field=allOf_2
    | eval
        allOf=mvappend(
            'allOf_2',
            'allOf'
            )
    | fields - allOf_2
    | eval
        required="name",
        type="object",
        description="Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. ",
        title="attack-pattern",
        "$schema"="http://json-schema.org/draft-04/schema#"
    | tojson str($schema) str(title) str(description) str(type) json(allOf) str(required) output_field=stix_2_payload
    | fields + stix_2_payload

 
For this example I used a generative command to put together sample data first, but if you are building from a Splunk event then the fields should all be derived from _raw or already extracted. The example is more of a demonstration on how to build a valid STIX 2.1 json object using Splunk.

Below is the json object build out from the SPL above.

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "allOf": [
        {
            "ref": "../common/core.json"
        },
        {
            "id": {
                "pattern": "^attack-pattern--",
                "title": "id"
            },
            "kill_chain_phases": {
                "description": "The list of kill chain phases for which this attack pattern is used.",
                "items": {
                    "$ref": "../common/kill-chain-phase.json"
                },
                "minItems": 1,
                "type": "array"
            },
            "name": {
                "description": "The name used to identify the Attack Pattern.",
                "type": "string"
            },
            "properties": {
                "description": "The type of this object, which MUST be the literal `attack-pattern`.",
                "enum": [
                    "attack-pattern",
                    "campaign"
                ],
                "type": "string"
            }
        }
    ],
    "description": "Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. ",
    "required": "name",
    "title": "attack-pattern",
    "type": "object"
}
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...