I am running Splunk Enterprise Security and I am pulling in threat intel on a regular basis from a few vendors for notable event alerts. Last week, I saw that Ryan Kovar had posted an app to pull in threat intel around COVID-19 threats, malware, and disinformation from a Github environment and that was pretty cool! Then I saw he took indicators from that same Github repo and imported them into Enterprise Security! Now I am hearing that there is a MISP server available to pull indicators from as well and I was wondering if Splunk Enterprise Security can integrate with MISP. I am also a little embarrassed to admit it, I’m not entirely familiar with MISP, except that it is used with threat intelligence. I’ve used other threat intel platforms in the past and I would rather not go back to that old house, there’s too many bad memories. Can you assist?
Angie from Manchester
Angie from Manchester,
I’m quite pleased that you are pulling threat intel into Enterprise Security and it’s great you have already leveraged Ryan’s instructions to grab threat intelligence indicators directly from the web. That functionality isn’t used as often as it could be, because it certainly simplifies getting data in!
Let’s start with your question about MISP. MISP stands for Malware Information Sharing Platform, and is an open-source threat intelligence sharing platform. Quite simply, it provides a platform to collect threat intelligence indicators and share them with others as desired. MISP provides the ability for indicators to be grouped into events, it comes with a web UI for analysts to interface with and has many extensions. It also has a set of APIs that allow third-party software to interface with it. If you want to learn more about MISP, they publish a handy guide in numerous formats, including an HTML version. If you are looking to kick the tires on MISP, a handy guide is available to help you get started spinning up an instance in AWS. If you are looking for a way to manage threat indicators, MISP is a good way to go. With that brief introduction, let’s get to setting up Splunk and MISP!
We are going to use a community app called MISP42Splunk to link our Splunk instance and MISP. The first step is to install the MISP42Splunk app, just like any other app in Splunk. That won’t take but a moment, though it may require a restart of Splunk once it is finished.
Now that we have it installed, we will need to create an input to configure the connection. Fun fact, it is possible to pull from multiple MISP instances into a Splunk instance! At a minimum, we will need the URL of the MISP server and the API key.
Because we want to connect to the COVID-19 MISP server, we should use the URL, https://covid-19.iglocska.eu. Just a friendly reminder, we need to request access to this server and this can be done via self-registration at https://covid-19.iglocska.eu/users/register.
Once we are logged in, we can find the API key by clicking Automation on the navigation menu on the left side of the screen.
We will call this input misp_covid, to differentiate from other MISP servers we may be connected to. This name will be needed later on so remember it! The interval, index, url, and api fields all need to be completed. Below we have our completed input. While certificates and proxies can be configured, they are not required. You may notice that we have an index called misp. We configured our Splunk instance to pull indicators and write them to their own index. While index is listed as a mandatory field, you do not need to download the indicators to an index if you do not want to.
By default, a set of saved searches is provided with the app to extract indicators and load them into lookups or the KVStore. These searches can be modified to load indicators into an index and can be tweaked as desired. If you choose to load the indicators to an index, there is also a dashboard that also comes with the app that provides to visualize statistics of the indexed indicators.
There is one final step that needs to take place to integrate MISP and Splunk. In the MISP42Splunk app, under Configuration there is an Account tab. Click Add to add the username and credentials of a Splunk user that will have the capability of list_storage_passwords in Splunk and click Add.
Alright, that’s it for the config, we can now search and ingest indicators! In addition to the default savedsearches and dashboard content, MISP42Splunk comes with a set of custom search commands that allow direct searching of a MISP instance, including the one we will cover in just a bit, mispgetioc. We’re not going to go through them in detail here, but Angie, give them a try!
Because we have Enterprise Security, we have the Threat Intelligence framework available to do much of the heavy lifting for us. If you need to understand more about the basics of the Threat Intel framework, John Stoner did a deep dive into the framework at .conf17. Take a few minutes to check it out.
The key to integrating with Enterprise Security is that we need a set of searches, similar to what has been provided in the app to assist us in getting data from MISP and into a place where the Threat Intelligence framework can run with it. We could load that data into what is referred to as the local lookups (local_ip_intel, local_http_intel, etc). However, rather than directing you to add more data to your local lookups, we have an app called TA-misp_es that aids in the MISP/ES integration. This app contains a set of saved searches for each component of the threat intel framework that MISP is likely to have indicators to support, as well as its own set of properly formatted csv files (misp_es_ip_intel, misp_es_http_intel, and so on) to store your MISP indicators. This is installed on the Splunk instance in conjunction with the MISP42Splunk app to feed this content to Enterprise Security!
The included saved searches need to be modified to your specific configuration, so let’s take a quick look at the MISP_ES_ip_intel search as an example. We are querying the instance named misp_covid, as defined during setup and we are pulling indicators for the past day. Notice there are numerous switches inside the custom command, mispgetioc, that will increase or decrease the volume of indicators. It is important to note that rather than using last, you can also specify a date range or search by the MISP eventid. One additional reminder is that in this case, you are connecting to another organization’s system, so depending on permissions and configurations, you may not be able to access every indicator in the manner you might desire. Be courteous.
After the first line of the search where we collect the indicators, the rest of the search is finessing the events into the format of the lookup and writing it to the csv. If you want to check out the searches, they can be found here.
Now that we discussed what has to be done, we can make these simple edits of the instance. Click Settings -> Searches, reports, and alerts.
Edit each search by clicking Edit -> Edit Search and make sure the MISP instance is correct. Click Save. Click Edit -> Edit Schedule to set the interval that the search will query the MISP server for new indicators. Finally, make sure that the search is enabled but looking on the far right column and checking the column status.
With this linkage created, the saved search will trigger a search to query the MISP server at the scheduled time and retrieve indicators into the proper lookups. As soon as the indicators are written to the lookups, the threat intelligence framework will aggregate this data, and load it into the KVStore and start running correlation searches against it, just like any other threat intelligence collected.
Here we can see the indicators in the Threat Artifacts dashboard.
At this point, there is nothing more to be done; the process is the same as what Ryan laid out to Old Man Kensey in his recent blog, the difference was his data originated from Github.
Angie, I hope this provided you with a better understanding of MISP, along with a resource for useful COVID-19 threat intelligence indicators and a straightforward path that demonstrates how easy it is to integrate MISP with Splunk Enterprise Security.
Until Next Time,