SECURITY SECURITY

New Capabilities Come to the Threat Intelligence Framework with Enterprise Security 4.7!

Continuous improvement of the threat intelligence framework has been an area of focus since its initial release in Splunk Enterprise Security 3.0.  Along the way, Splunk has added greater auditability, bundling of external threat lists, the ability to ingest STIX, TAXII and OpenIOC formats, and the ability to correlate nine different kinds of observables (indicators) to the platform.

For those not familiar with the threat intelligence framework in Splunk Enterprise Security, here is a quick primer.  Enterprise Security comes with sixteen threat feeds from providers like I-Blocklist, Emerging Threats, Malware Domains, SANS and others.  These threat feeds and others you may use can be ingested directly from the internet and processed along with locally sourced and developed threat intelligence and then correlated with machine data and presented to analysts for action and resolution.

Observables can be file hashes, IP addresses, registry values, service names, processes, URLs, email attributes, and certificate attributes, like common name or serial number, to name a few.  With this variety, it is important to leverage event sources, not just from the network, but also from the endpoint.  The threat intel framework processes new observables that are added to ES and then correlates them with new events.  By default, the outcome of a match is a notable event being created for an analyst to review.

With the latest version of ES, I wanted to share with you some newer capabilities that may help you when working with threat intelligence.

Upload STIX/IOC/CSV files via the UI
With ES 3.3 and continuing to version 4.5, the ability to upload STIX and IOC documents existed, but it required files to be placed into specific directories that the threat intelligence modular input would monitor and then upload.  For Splunk Cloud customers, this would require a ticket to be created to request a STIX or IOC file to be uploaded.  With the ES 4.6 cloud release, a user interface is now provided so that users can easily upload indicators without having to create a ticket.  This capability also exists for on premise customers with the 4.7 release, so analysts can add new threat intel without needing command line access.

The upload also provides a means to take large volumes of a specific observable and load it into Splunk ES.  For example, a csv of file hashes could be uploaded, and a threat intel category and group could be assigned to the entire csv file.  The benefit of this approach is that these observables can be searched and filtered via the threat artifacts dashboard and then used for correlation with other machine data that Splunk collects.  The outcome of those correlations is viewable by analysts as notable events.

 

Ability to delete via REST API
Another new capability that was included with the 4.6 Cloud release was the ability to mark indicators disabled via the REST API.  This can be incredibly useful when a specific indicator no longer needs to be correlated against new events, but a record of the indicator needs to be maintained.  Using this capability, analysts can see past and current IOCs.

To mark an individual indicator as disabled, identify the indicator of interest and its associated _key value.

| inputlookup ip_intel |search ip=58.64.179.144 |eval item_key=_key

Paste the item_key into a curl statement after /ip_intel/.  In this example, we are searching our IP address repository, but this could be file, registry or other data sets.

From the command line, issue the following command:

$ curl -k -u <myusername>:<mypassword> https://192.168.70.129:8089/services/data/threat_intel/item/ip_intel/fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d -X DELETE

where <myusername> and <mypassword> are, well, my username and password.

Success looks like this:

{"message": "Delete operation successful.", "status": true}

If the original |inputlookup search is rerun, an additional column called disabled will appear with a value of 1.

To search for all disabled IP observables:

| inputlookup ip_intel |search disabled=1

Once the observable is tagged as disabled, ES will not create any new notable events for machine data that correlates with a disabled observable, but notable events already created that reference that observable will remain.

One important tip, if you are using this technique to disable an observable that has an item_key like local_ip_intel|10.10.10.10, make sure to place single quotes around the item key in the curl statement so it executes correctly.

$ curl -k -u <myusername>:<mypassword> https://192.168.70.129:8089/services/data/threat_intel/item/ip_intel/'local_ip_intel|10.10.10.10' -X DELETE

Adding Threat Intelligence via Adaptive Response
A new capability added in ES 4.7 provides analysts with the ability to take observables directly from a notable event and add them to a threat list via a new Adaptive Response action that is built directly into ES.  Like any adaptive response, this can be run ad-hoc at the notable event level or can be added to correlation search actions so that it runs automatically when search criteria are met.

By using the Adaptive Response framework, analysts can see if the action completed successfully or failed.  All Adaptive Response Actions can be audited via a pre-built dashboard.

The adaptive response method also provides role based access control to be implemented on a per action basis.   So, if the incident response team is allowed to add threat intelligence, but not the tier one analysts, roles can be used to restrict who can run this action.

I may be burying the lead here, but it is important to also point out that with ES 4.7, we can now support TAXII feeds like those used by US-CERT Automatic Indicator Sharing (AIS).

With the introduction of Enterprise Security 4.7, Splunk adds additional capabilities within the threat intelligence framework to make it easier for users to add threat intel to the system, mask indicators that are no longer needed for correlation, but should be kept for reference, and process STIX and TAXII data from other sources.

Go check it out!

Happy Splunking!

John Stoner
Posted by John Stoner

I grew up in Virginia, graduated from Penn State and came back to Virginia where I have worked with databases and cyber for over 20 years. A job or two felt like I really was a cast member of The Office or Office Space, but every one of them taught me something new.

Join the Discussion