Splunk® Intelligence Management (Legacy)

User Guide

Endpoint intelligence sources

Splunk Intelligence Management supports the following endpoint intelligence sources:

  • Cisco AMP Threat Grid Indicator Query
  • Crowdstrike Falcon Detection
  • Crowdstrike Falcon Intelligence
  • Crowdstrike Falcon Reports

Cisco AMP Threat Grid Indicator Query

This document explains how to set up the Cisco AMP Threat Grid Indicator Query premium intelligence source in the Splunk Intelligence Management platform.

Cisco Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5
  • REGISTRY_KEY

Requirements

  • Subscription to Cisco AMP Threat Grid
  • Cisco AMP Threat Grid API key.
  • Splunk Intelligence Management Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side menu.
  3. Choose Premium Intel.
  4. Click Subscribe on the Cisco Amp Threat Grid Analysis Feeds box.
  5. Enter your your API key and then click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

Crowdstrike Falcon Detection

This document explains how to set up the Crowdstrike Falcon Detect premium intelligence source in the Splunk Intelligence Management platform.

Leveraging artificial intelligence (AI), the CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network. CrowdStrike Falcon delivers real-time protection and actionable intelligence from Day One.

  • Source Type: Premium Intelligence
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Workflows-Compatible: Yes
  • Time to Install: 10 minutes

Observables Supported

  • IP
  • URL
  • Domain

Requirements

  • Licensed user of Crowdstrike
  • Access to Crowdstrike Falcon Detection.
  • Crowdstike API ID and API key for the Reports API
  • Splunk Intelligence Management Admin rights are required to activate this premium intelligence source.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel.
  4. Click Subscribe on the Crowdstrike Falcon Detection box.
  5. Enter your API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

Technical Details

Splunk Intelligence Management queries the Detection Search API and returns a list of detection IDs based on one or more parameters, including Critical and High priority items. Those IDs are then passed to the Detection Details API to get details more details on that specific detection.Results from the Detection details are submitted as a report to Splunk Intelligence Management.

Detection Search Request Sample

This sample filters by max_severity_displayname: High and Critical only

$ curl -X GET -u "youruser:yourkey" -H "Content-Type: application/json" "'2017-01-'>https://falconapi.crowdstrike.com/detects/queries/detects/v1?filter=max_severity_displayname:'Critical'%2Bfirst_behavior:>'2017-01- 01'&sort=first_behavior.desc"

Sample Response - Detection Search

{
"errors": [],
"meta": {
"pagination": {
"limit": 4,
"offset": 0,
"total": 1130
},
"powered_by": "msa-api",
"query_time": 0.020452436,
"trace_id": "77710051-9d0b-46ba-af55-cbeb3983da4e"
},
"resources": [
"ldt:3752a1cc489964:817585689360212029",
"ldt:e137098aa9eaaf02d7:817585689360212022",
"ldt:9e27007645d94e4a:148396684788734",
"ldt:ba634d05764c05f87dc:148395676791867"
]
}

Detection Details Request Sample

Ue the Detection Ids ("ldt" in the above example) to query the detection details

$ curl -X POST -u "youruser:yourkey" -H "Content-Type: application/json" "https://falconapi.crowdstrike.com/detects/entities/summaries/GET/v1" -d '{"ids": ["ldt:ddaab9931f4a4b90450585d1e748b324:148124137618026"]}'

Sample Detection Details Response

{
"meta": {
"query_time": 0.002420999,
"powered_by": "msa-api",
"trace_id": "XXXXXXXX-bbghoweh-XXX-71d97d5XXXXX"
},
"resources": [
{
"cid": "9XXX9999XXX999X99X9X999X99999XXX",
"detection_id": "ldt:aaabbbcccdddd:aaabbbcccdddd",
"device": {
"device_id": "aaabbbcccdddd",
"cid": "aaabbbcccdddd",
"agent_load_flags": "0",
"agent_local_time": "2019-09-07T13:19:20.642Z",
"agent_version": "3.5.5606.0",
"bios_manufacturer": "ACME Technologies LTD",
"bios_version": "6.00",
"config_id_base": "65994753",
"config_id_build": "5606",
"config_id_platform": "3",
"external_ip": "XX.XXX.XX.XXX",
"hostname": "TEST",
"first_seen": "2019-08-16T22:41:12Z",
"last_seen": "2019-09-07T18:55:12Z",
"local_ip": "XXX.XXX.XXX.XXX",
"mac_address": "XX-XX-XX-XX-XX-XX",
"major_version": "6",
"minor_version": "1",
"os_version": "Windows 7",
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "contained",
"system_manufacturer": "VMware, Inc.",
"system_product_name": "VMware Virtual Platform",
"modified_timestamp": "2019-09-07T18:55:25Z"
},
"behaviors": [
{
"device_id": "XXXXXXXXXX",
"timestamp": "2019-09-07T20:01:00Z",
"behavior_id": "10106",
"filename": "powershell.exe",
"alleged_filetype": "exe",
"cmdline": "powershell -ExecutionPolicy Bypass -encodedCommand
XXXXXXXXXXXXXX==",
"scenario": "credential_theft",
"severity": 90,
"confidence": 80,
"ioc_type": "",
"ioc_value": "",
"ioc_source": "",
"ioc_description": "",
"user_name": "TEST",
"user_id": "S-1-5-18",
"control_graph_id": "ctg:XXXXXXXXXXXX",
"triggering_process_graph_id": "pid:XXXXXXXXXXXXX",
"sha256": "XXXXXXXXXXXXXXXX",
"md5": "85XXXXXXXXXXX",\
"parent_details": {
"parent_sha256": "XXXXXXXXXXXXXX
"parent_md5": "XXXXXXX
"parent_cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ",
"parent_process_graph_id": "pid:XXXXXXX"
},
"pattern_disposition": 282
}
],
"email_sent": false,
"first_behavior": "2019-09-07T18:55:49Z",
"last_behavior": "2019-09-07T20:06:36Z",
"max_confidence": 90,
"max_severity": 90,
"max_severity_displayname": "Critical",
"show_in_ui": true,
"status": "new",
"adversary_ids": null,
"hostinfo": {
"active_directory_dn_display": null,
"domain": ""
},
"seconds_to_triaged": 0,
"seconds_to_resolved": 0
}
],
"errors": []
}

How to find your Crowdstrike Falcon Detect API keys

  1. Navigate to API Clients and Keys in the Crowdstrike portal.
  2. If your keys have not already been created for the Indicators API scope, click Add new API client.
  3. From here select a Client Name and select the Detections and Incidents API scope under the Read column.
  4. Copy the Client ID/Secret and subscribe to the Crowdstrike Falcon Detect Marketplace source.

Crowdstrike Falcon Intelligence

This document explains how to set up Crowdstrike Falcon Intelligence in the Splunk Intelligence Management platform.

CrowdStrike Falcon Intelligence provides security teams with complete analysis and insights into the TTPs of adversary groups — allowing security professionals to diagnose and respond to incidents now, while more efficiently planning for events in the future — and preventing damage from advanced malware and targeted attacks.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

  • All Observables supported by Splunk Intelligence Management

Requirements

  • Licensed user of Crowdstrike
  • Access to Crowdstrike Falcon Intelligence.
  • Crowdstrike API ID and API key for the reports API.
  • Splunk Intelligence Management Admin rights are required to activate this premium intelligence source.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Choose Premium Intel.
  4. Click Subscribe on the Crowdstrike Falcon Intelligence box.
  5. Enter your API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

Find your Crowdstrike Falcon Intelligence API keys

  1. Navigate to API Clients and Keys in the Crowdstrike portal.
  2. If your keys have not already been created for the Indicators API scope, select Add new API client.
  3. Select a Client Name and select the following API scopes:
    Scope Read Write
    Detections
    Hosts
    Actors (Falcon X) -
    Indicators (Falcon X) -
    Reports (Falcon X) -
    Rules (Falcon X) -
    Host Groups
    Incidents
    Installation Tokens
    Indicators of Compromise (IOCs)
    Prevention Policies
  4. Copy the Client ID/ Secret and subscribe to the Crowdstrike Falcon Intelligence Marketplace source.

Crowdstrike Falcon Reports

This document explains how to set up the Crowdstrike Falcon Reports premium intelligence source in the Splunk Intelligence Management platform.

Leveraging artificial intelligence, the CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

  • All Observables supported by Splunk Intelligence Management

Requirements

  • Licensed user of Crowdstrike
  • Access to Crowdstrike Falcon Intelligence Reports.
  • Crowdstrike API ID and API key for the reports API.
  • Splunk Intelligence Management Admin rights are required to activate this premium intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel.
  4. Click Subscribe on the Crowdstrike Falcon Reports box.
  5. Enter your API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

How to find your Crowdstrike Falcon Report API keys

  1. Navigate to API Clients and Keys in the Crowdstrike portal.
  2. If your keys have not already been created for the Indicators API scope, then select Add new API client.
  3. Select a Client Name and select the following API scopes:
    Scope Read Write
    Detections
    Hosts
    Actors (Falcon X) -
    Indicators (Falcon X) -
    Reports (Falcon X) -
    Rules (Falcon X) -
    Host Groups
    Incidents
    Installation Tokens
    Indicators of Compromise (IOCs)
    Prevention Policies
  4. Copy the Client ID/ Secret and subscribe to the Crowdstrike Falcon Reports Marketplace source.
Last modified on 21 April, 2022
Digital risk and ATO intelligence sources   Threat intelligence sources

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters