Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alien Vault Check OTX

splunkcol
Builder
‎11-25-2023 04:03 PM

Hello

I have installed the add-on "Alien Vault Check OTX".

I would like to know if out of this command where I can query an IP, HASH or domain for indicators of compromise, could someone give me an idea if it is possible to associate it for example to the src_ip or dest_ip field of my firewall logs?

https://apps.splunk.com/app/5422/#/details

splunkcol_0-1700956823013.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎11-25-2023 05:58 PM

Hi @splunkcol,

If you're using Splunk Enterprise Security, see <https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-issue/m-p/579751/highlight/true...>, but review the latest documentation. With that knowledge in hand, you may prefer to use the OTX TAXII feed.

If you're not using Splunk Enterprise Security and simply want to cross-reference your events with the output of the checkotx generating command, use the map command with an existing search. E.g.:

index=firewall
| dedup src_ip
| map search="checkotx $src_ip$" maxsearches=10 ``` increase maxsearches as needed ```

The map command will run one search for each src_ip value (up to 10 values in this example).

If you're feeling adventurous, you could clone and modify checkotx.py to function as an external lookup command. See <https://dev.splunk.com/enterprise/docs/devtools/externallookups/>. You could then use the Splunk lookup command to correlate src_ip to IOCs:

index=firewall
| lookup checkotx ip as src_ip

If written correctly, the external lookup command could add multi-valued created, id, ioc, and name fields to each event with matching IOCs. (Apologies if you're not feeling adventurous. I like to tinker.)

You may also want to look at Add-on for Open Threat Exchange <https://splunkbase.splunk.com/app/4336>. The add-on will index IOCs, from which you can write a scheduled search to generate a local lookup file or KV store collection. The end result would provide functionality similar to the proposed external lookup command described above.

(Edit: I have a vague memory of maybe having written an OTX lookup command one afternoon for a client. If you're interested, we could probably whip one up from scratch pretty quickly in this thread.)

View solution in original post

Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎11-25-2023 05:58 PM

Hi @splunkcol,

If you're using Splunk Enterprise Security, see <https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-issue/m-p/579751/highlight/true...>, but review the latest documentation. With that knowledge in hand, you may prefer to use the OTX TAXII feed.

If you're not using Splunk Enterprise Security and simply want to cross-reference your events with the output of the checkotx generating command, use the map command with an existing search. E.g.:

index=firewall
| dedup src_ip
| map search="checkotx $src_ip$" maxsearches=10 ``` increase maxsearches as needed ```

The map command will run one search for each src_ip value (up to 10 values in this example).

If you're feeling adventurous, you could clone and modify checkotx.py to function as an external lookup command. See <https://dev.splunk.com/enterprise/docs/devtools/externallookups/>. You could then use the Splunk lookup command to correlate src_ip to IOCs:

index=firewall
| lookup checkotx ip as src_ip

If written correctly, the external lookup command could add multi-valued created, id, ioc, and name fields to each event with matching IOCs. (Apologies if you're not feeling adventurous. I like to tinker.)

You may also want to look at Add-on for Open Threat Exchange <https://splunkbase.splunk.com/app/4336>. The add-on will index IOCs, from which you can write a scheduled search to generate a local lookup file or KV store collection. The end result would provide functionality similar to the proposed external lookup command described above.

(Edit: I have a vague memory of maybe having written an OTX lookup command one afternoon for a client. If you're interested, we could probably whip one up from scratch pretty quickly in this thread.)

Reply
Solved! Jump to solution

splunkcol
Builder
‎11-25-2023 08:15 PM

@tscroggins  Thank you very much for your valuable help

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...