Splunk Enterprise Security

Splunk ES issue

So76
Explorer

Need help on enterprise security. Is there a way to create a standard TAXII Parser that can do correlation searches of logs coming from Maritime Transportation System ISAC & logs coming from Stash. New to ES and have no idea what's all about. See the issue below, If it'll help. Please advise and help, on what's needed to be done. I am very new to ES. Thanks

 

"A shipping company that gets Intelligence feeds/reports from MTS-ISAC (Maritime Transportation System ISAC)
The MTS-ISAC provides proactive cyber threat intelligence, alerts, warnings, and vulnerability information cultivated from maritime stakeholders and public and private sector shares, open-source intelligence, and cybersecurity news

So it's just a matter of parsing that information so Matson can do correlation searches (correlate it with logs) that are currently coming from Stash"

 

0 Karma
1 Solution

tscroggins
Motivator

@So76 

Splunk Enterprise Security threat intelligence works with TAXII feeds directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Downloadthreatfeed#Add_a_TAXII_feed. You can also upload STIX content directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Uploadthreatfile.

This presentation provides a good overview of the threat intelligence framework: https://conf.splunk.com/files/2017/slides/enterprise-security-biology-dissecting-the-splunk-enterpri....

After adding and enabling TAXII sources, data is parsed and added to an appropriate KV store collection.

A series of threatmatch modular inputs checks CIM data models for matches against threat intelligence. For example, the "url" input looks for threats in the Web data model.

Matches are collected in the threat_activity index and summarized by the Threat Activity data model.

A single correlation search, Threat - Threat List Activity - Rule, creates a notable event when new threat matches are detected.

You'll need to complete three high level steps:

1. Add and enable the MTS-ISAC TAXII feed.
2. Normalize your logs to the appropriate CIM data models, possibly through an existing add-on, and ideally, accelerate the data models.
3. Enable the Threat - Threat List Activity - Rule correlation search.

View solution in original post

0 Karma

tscroggins
Motivator

@So76 

Splunk Enterprise Security threat intelligence works with TAXII feeds directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Downloadthreatfeed#Add_a_TAXII_feed. You can also upload STIX content directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Uploadthreatfile.

This presentation provides a good overview of the threat intelligence framework: https://conf.splunk.com/files/2017/slides/enterprise-security-biology-dissecting-the-splunk-enterpri....

After adding and enabling TAXII sources, data is parsed and added to an appropriate KV store collection.

A series of threatmatch modular inputs checks CIM data models for matches against threat intelligence. For example, the "url" input looks for threats in the Web data model.

Matches are collected in the threat_activity index and summarized by the Threat Activity data model.

A single correlation search, Threat - Threat List Activity - Rule, creates a notable event when new threat matches are detected.

You'll need to complete three high level steps:

1. Add and enable the MTS-ISAC TAXII feed.
2. Normalize your logs to the appropriate CIM data models, possibly through an existing add-on, and ideally, accelerate the data models.
3. Enable the Threat - Threat List Activity - Rule correlation search.

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...