Turn on threat matching searches in Splunk Enterprise Security
Edit threat matching searches that are available in Splunk Enterprise Security to enrich the incoming data in your deployment with threat intelligence. Threat matching searches are searches generated in your network environment with threat intelligence to help analysts investigate threats.
Configuring the threat matching specifications in the UI automatically populates the settings in the [threat match]
stanza for the DA-ESS Threat Intelligence module in the inputs.conf
configuration file. The threat matching settings are used by the custom search builder to construct the search processing language (SPL) for the threat matching searches.
The events generated by these threat matching searches are tagged for the threat intelligence data model and populate the threat_activity
index. As a security analyst, you can review the items in the threat_activity
index by selecting Analytics then Security intelligence then Threat intelligence and then Threat findings to find a dashboard to investigate threats.
You can customize the threat matching searches by making the following changes:
- Add or remove extra data models
- Change the time interval
- Change the earliest or latest time
- Add or remove aggregates
- Add or remove datasets
Edit threat matching settings to customize threat matching searches
Edit the threat matching settings to generate the SPL for threat matching searches and enrich your data with threat intelligence.
Prerequisite
You must have an administrator role with edit_modinput_threatmatch
capabilities to edit the threat matching settings.
Steps
- In Splunk Enterprise Security, select Configure and then Intelligence.
- In the Threat intelligence management section, select Threat matching.
- Use the following table to identify the available threat matching sources and the associated configuration settings for the threat matching searches:
Setting Description Example Source Type of threat matching sources in your deployment. certificate_common_name
,certificate_serial
,certificate_unit
,dest
,certificate_organization
,domain
Interval The cron interval at which the search runs. 0,30***
For more information on cron formats, see Commonly used cron field formats.Earliest time Time when the search starts. -45m@m
Latest time Time when the search completes. +0s
Match fields Fields to match against to generate threats. All_Certificates.SSL.ssl_issuer_common_name
All_Certificates.SSL.ssl_subject_common_name
Status Turn on or turn off the threat matching search Activate / Turn on
,Deactivate / Turn off
You can expand the threat matching source to view the SPL generated for the threat matching search.
- Select the threat matching source to edit the threat matching settings.
This opens the Edit threat matching configuration dialog box.You can only turn on, turn off, or edit existing threat matching sources using the UI. You can't use the editor to create new threat matching sources.
Use the following table to edit the specific configuration settings for your threat matching search:
Setting Description Name Name of the threat matching stanza. Source Name of the threat matching source or the threat artifact. Earliest time Time when the threat matching search starts. Latest time Time when the threat matching search completes. Interval Cron interval at which the threat matching search runs. Max aggregate values Maximum number of aggregate values for the threat matching search. Datasets Datasets currently included in the threat matching search. You can delete any existing dataset from the threat matching search by selecting the X next to the specific dataset. You can also edit any existing dataset included in the threat matching search by selecting the pencil icon next to the specific dataset. You can turn on or turn off an existing dataset by selecting
Activate / Turn on
orDeactivate / Turn off
for the dataset. You can also remove specific fields against which you want to match in the threat matching searches.
Add a new dataset to the threat matching search
- In Splunk Enterprise Security, select Configure and then Intelligence.
- In the Threat intelligence management section, select "Threat matching.
- Locate a threat matching source and then select the pencil icon in the table to edit it.
- Select Add dataset to add more datasets to the threat matching search.
This opens the Add a dataset dialog box. - Select the data model for the dataset from the Data model drop-down menu to specify the source of the dataset.
For example: Alerts, Authentication, Certificates, Change analysis, Inventory, Database, and so on. - Select the object using the Object drop-down menu to specify the type of object used from the data model.
For example: If you select Authentication as the data model type, you can select various objects such as Failed_Authentication, Default_Authentication, Successful_Authentication, Insecure_Authentication, and so on. - Specify the boolean clause to filter out events for the threat matching search in the Event filter field. The boolean clause translated to the where clause within the search SPL.
- Specify the Match field to select the fields to match on and generate threats. For example: source, sourcetype, and so on.
- Select Add aggregate to identify the datasets that the search can retrieve from the data model.
- Specify the alias for the field to rename the aggregate.
For example, you can rename the aggregateAll_Certificates.src
to the aliassrc
; or, you can rename the aggregateAll_Certificates.dest
to the aliasdest
while specifying the settings for the threat matching search. - Select Save dataset to build the threat matching search.
Turn off individual threat artifacts
To prevent individual threat artifacts on a threat list from creating findings if they match events in your environment, turn off individual threat artifacts. If you have command line access to the Splunk Enterprise Security search head, you can turn off individual threat artifacts using the REST API. See Threat Intelligence API reference in the Splunk Enterprise Security REST API Reference.
See also
For more information on threat intelligence management, see the product documentation:
Create and manage safelist libraries in Splunk Enterprise Security | Supported types of threat intelligence in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!