Splunk Enterprise Security

Splunk ES issue

So76
Explorer

Need help on enterprise security. Is there a way to create a standard TAXII Parser that can do correlation searches of logs coming from Maritime Transportation System ISAC & logs coming from Stash. New to ES and have no idea what's all about. See the issue below, If it'll help. Please advise and help, on what's needed to be done. I am very new to ES. Thanks

 

"A shipping company that gets Intelligence feeds/reports from MTS-ISAC (Maritime Transportation System ISAC)
The MTS-ISAC provides proactive cyber threat intelligence, alerts, warnings, and vulnerability information cultivated from maritime stakeholders and public and private sector shares, open-source intelligence, and cybersecurity news

So it's just a matter of parsing that information so Matson can do correlation searches (correlate it with logs) that are currently coming from Stash"

 

0 Karma
1 Solution

tscroggins
Motivator

@So76 

Splunk Enterprise Security threat intelligence works with TAXII feeds directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Downloadthreatfeed#Add_a_TAXII_feed. You can also upload STIX content directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Uploadthreatfile.

This presentation provides a good overview of the threat intelligence framework: https://conf.splunk.com/files/2017/slides/enterprise-security-biology-dissecting-the-splunk-enterpri....

After adding and enabling TAXII sources, data is parsed and added to an appropriate KV store collection.

A series of threatmatch modular inputs checks CIM data models for matches against threat intelligence. For example, the "url" input looks for threats in the Web data model.

Matches are collected in the threat_activity index and summarized by the Threat Activity data model.

A single correlation search, Threat - Threat List Activity - Rule, creates a notable event when new threat matches are detected.

You'll need to complete three high level steps:

1. Add and enable the MTS-ISAC TAXII feed.
2. Normalize your logs to the appropriate CIM data models, possibly through an existing add-on, and ideally, accelerate the data models.
3. Enable the Threat - Threat List Activity - Rule correlation search.

View solution in original post

0 Karma

tscroggins
Motivator

@So76 

Splunk Enterprise Security threat intelligence works with TAXII feeds directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Downloadthreatfeed#Add_a_TAXII_feed. You can also upload STIX content directly. See https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Uploadthreatfile.

This presentation provides a good overview of the threat intelligence framework: https://conf.splunk.com/files/2017/slides/enterprise-security-biology-dissecting-the-splunk-enterpri....

After adding and enabling TAXII sources, data is parsed and added to an appropriate KV store collection.

A series of threatmatch modular inputs checks CIM data models for matches against threat intelligence. For example, the "url" input looks for threats in the Web data model.

Matches are collected in the threat_activity index and summarized by the Threat Activity data model.

A single correlation search, Threat - Threat List Activity - Rule, creates a notable event when new threat matches are detected.

You'll need to complete three high level steps:

1. Add and enable the MTS-ISAC TAXII feed.
2. Normalize your logs to the appropriate CIM data models, possibly through an existing add-on, and ideally, accelerate the data models.
3. Enable the Threat - Threat List Activity - Rule correlation search.

0 Karma