Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About beano501
beano501
Engager
Member since:
03-01-2022
09-23-2024
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 03-01-2022 |
Activity Feed
- Posted For Enterprise Security, Threat Intelligence Management - What is the correct content of a STIX file? on Splunk Enterprise Security. 09-19-2024 05:34 AM
- Tagged For Enterprise Security, Threat Intelligence Management - What is the correct content of a STIX file? on Splunk Enterprise Security. 09-19-2024 05:34 AM
- Posted Re: IPFIX source type not working: No matching ipfix app found? on All Apps and Add-ons. 06-13-2023 06:32 AM
- Karma Re: Creating Tokens in Splunk via GUI for General_Talos. 08-19-2022 01:40 AM
- Posted ESCU and Enterprise Security Incident Review- Why are results inconsistent? on Splunk Enterprise Security. 08-01-2022 10:07 AM
- Tagged ESCU and Enterprise Security Incident Review- Why are results inconsistent? on Splunk Enterprise Security. 08-01-2022 10:07 AM
- Posted Re: Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0 Fortigate Events not all forwarding correctly. on Getting Data In. 06-06-2022 01:08 AM
- Tagged Re: Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0 Fortigate Events not all forwarding correctly. on Getting Data In. 06-06-2022 01:08 AM
- Posted Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0, why are Fortigate Events not forwarding correctly? on Getting Data In. 06-01-2022 08:57 AM
- Posted How do I add a CIM Change Model and EventCode 4732 (A member was added to a security-enabled local group) on Splunk Enterprise Security. 03-19-2022 02:52 AM
- Tagged How do I add a CIM Change Model and EventCode 4732 (A member was added to a security-enabled local group) on Splunk Enterprise Security. 03-19-2022 02:52 AM
- Posted Can I inherit from the CIM Model? on Splunk Enterprise Security. 03-01-2022 10:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-22-2024
02:41 PM
1 Karma
Hi @beano501, From the ES documentation at https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Uploadthreatfile: Parsing STIX documents of version 2.0 and version 2.1 parses STIX observable objects such as type: "observed-data" from the threat intelligence document as outlined in the collections.conf configuration file. The STIX pattern syntax used in STIX "indicator" objects and elsewhere is not currently supported. It's implied the parser expects observed-data objects and then reads observable-container objects from the child objects property. It's explicitly stated that pattern syntax is not supported. This is confirmed in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/bin/parsers/stix2_parser.py (not shown), where we can see the parser expects the deprecated objects property inside an observed-data object in both STIX 2.0 and STIX 2.1 documents. We probably want something like this: {
"type": "bundle",
"id": "bundle--50ea61e5-7cce-4a72-a876-bfe45793d235",
"spec_version": "2.0",
"objects": [
{
"type": "threat-actor",
"id": "threat-actor--840bb5cd-af46-4c45-9489-43f7bfe612b8",
"created": "2023-09-08T00:02:39.000Z",
"modified": "2023-09-08T00:02:39.000Z",
"name": "Bad Guys",
"description": "No, really. They are bad guys.",
"labels": [
"uncategorized"
]
},
{
"type": "observed-data",
"id": "observed-data--110847c9-a492-4491-883f-0cea407bb6b1",
"created": "2023-09-08T00:02:39.000Z",
"modified": "2023-09-08T00:02:39.000Z",
"first_observed": "2023-09-08T00:02:39.000Z",
"last_observed": "2023-09-08T00:02:39.000Z",
"number_observed": 1,
"objects": {
"0": {
"type": "ipv4-addr",
"value": "101.38.159.17"
}
}
}
]
} For more information about which properties are mapped from the nested object to the ip_intel collection, see the cited collections.conf file at $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/default/collections.conf: # STIX2 Mappings to ip_intel
# * <collection_field> : <observable-type>.<observable-object-field> - <observable-reference-type>.<reference-object-field>
#
# * ip : ipv4-addr.value
# * : ipv6-addr.value
# * domain : domain-name.value
# * address : None
# * city : None
# * country : None
# * postal_code : None
# * state_prov : None
# * oranization_name : None
# * organization_id : None
# * registration_time : None
# * description : None
# * threat_key : <id of root element>|<simple filename>
# * time : source_processed_time from threat_group_intel
# * weight : Parsed from the stanza if downloaded, or required input from user when uploaded
# * updated : None
# * disabled : false The full list of supported STIX 2.x observed-data objects is: email-message => email_intel ipv4-addr => ip_intel ipv6-addr => ip_intel domain-name => ip_intel file => file_intel network-traffic (with http-request-ext extension) => http_intel process => process_intel process (with windows-service-ext extension) => service_intel windows-registry-key => registry_intel user-account => user_intel x509-certificate => certificate_intel
... View more
06-15-2023
11:40 AM
Yes, luckily we found the issue. In our case, this behavior showing up when reserved template ID (0-255) is received. The issues had been gone when we updated the template ID 256 or larger. Hope this help.
... View more
08-01-2022
11:59 AM
1 Karma
ESCU is a Splunk-supported app so you can submit a Support request about the lack of CIM support. If that doesn't work, try https://ideas.splunk.com
... View more
06-06-2022
01:08 AM
Doh 😞 forcepoint_webprotect,index,proxy_forcepoint
... View more
- Tags:
- Do
03-19-2022
02:52 AM
Running CIM 5.0 and was looking to do some reporting on users/groups added to security groups (information provided by the Windows Security Log event 4732 - but when I look in the Change datamodel, I cannot see the target group of the add in any of the fields.
We are using out of the box Splunk_TA_windows, and Splunk Add-on for Microsoft Windows and I would have hoped that the data model would have been automatically filled with the relevant fields. Am I missing something obvious, or is there something I need to setup myself to get this working?
Thanks
Simon
... View more
- Tags:
- cim
Labels
- Labels:
-
using Enterprise Security
03-01-2022
11:55 AM
@beano501 My recommendation would be not updating the datamodel as much as possible. One way to achieve what you are looking is to using the 'src_interface' and 'dest_interface' fields in https://docs.splunk.com/Documentation/CIM/5.0.0/User/NetworkTraffic . Populate these fields with your values from the firewall logs, which can then be used in your searches. Additionally the mapping can also be used via lookup table to enrich data as necessary. Additionally, I would also suggest you to capture all your firewalls in a lookup within the ES Assets, using appropriate values in 'category' (e.g. internal_fw, external_fw, dmzfw etc..). This would then be available both in your searches and in your datam
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-23-2024
05:48 AM
|
