Other intelligence sources
The following intelligence sources are also supported by Splunk Intelligence Management:
- AWS GuardDuty
- Custom TAXII Client A, B, C
- Cybersource
- MISP
AWS GuardDuty
This Splunk Intelligence Management integration for Amazon Web Services (AWS) is an AWS Lambda function that is automatically triggered every time a AWS Guard Duty Finding is fired. It converts the Finding into a Splunk Intelligence Management Intelligence Report and submits it to a private Splunk Intelligence Management Enclave.
Features
- Send Cloud watch events into a Splunk Intelligence Management enclave for enrichment and triage. See this GuardDuty and Splunk Intelligence Management integration demo video for more information.
Requirements
- AWS Instance with access to Guard Duty and access to configure Lamda functions.
Installation
Download the AWS Guard Duty App Bundle (GD-Station-Lambda.zip) to manually install the Splunk Intelligence Management AWS Guard integration. The bundle contains the lambda functions that you need to trigger Guard Duty events.
Setup and Configuration
- Navigate to Lambda > Create Function to begin creating the Lamda function.
- Fill out the details:
- Name: Unique name to identify Lambda function
- Runtime: Select Python 3.7
- Role: Select a role which has access to "AWS CloudWatch Logs"
- Click Create function.
- Select Upload a zip file in Function code and upload the GD-Station-Lambda.zip bundle.
- Enter the environment variables:
- API_KEY – Splunk Intelligence Management API Key (Finding Your API Key)
- API_SECRET – Splunk Intelligence Management API Secret (Finding Your API Secret)
- ENCLAVE_ID – Splunk Intelligence Management Enclave ID (Look up Enclave IDs in the Web App)
- Change the timeout to 3 mins and the memory (MB) to 128 MB
- Change the reserve concurrency to 5
- Click Save to save the changes.
Creating a CloudWatch Event Rule
- Navigate to Services > Management Tools > Cloud Watch.
- Click Rules > Create Rule and choose the details you want for the rule.
- Add the Target and select the Lambda function.
- Click Configure Details.
- Add the name of the configure rule details and click Create rule.
Sample JSON Event
This is what a typical event in JSON format looks like when it is submitted to Splunk Intelligence Management as an Intel Report.
{
"version": "0",
"id": "c8c4daa7-a20c-2f03-0070-b7393dd542ad",
"detail-type": "GuardDuty Finding",
"source": "aws.guardduty",
"account": "123456789012",
"time": "1970-01-01T00:00:00Z",
"region": "us-east-1",
"resources": [],
"detail": {
"schemaVersion": "2.0",
"accountId": "123456789012",
"region": "us-east-1",
"partition": "aws",
"id": "99afba5c5c43e07c9e3e5e2e544e95df",
"arn": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789012/finding/16afba5c5c43e07c9e3e5e2e544e95df",
"type": "99:EC2/Stateless.IntegTest",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-05746eb48123455e0",
"instanceType": "t2.micro",
"launchTime": 1492735675000,
"productCodes": [],
"networkInterfaces": [
{
"ipv6Addresses": [],
"privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
"privateIpAddress": "172.31.36.156",
"privateIpAddresses": [
{
"privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
"privateIpAddress": "172.31.36.156"
}
],
"subnetId": "subnet-d58b7123",
"vpcId": "vpc-34865123",
"securityGroups": [
{
"groupName": "launch-wizard-1",
"groupId": "sg-9918a123"
}
],
"publicDnsName": "ec2-11-111-111-1.us-east-1.compute.amazonaws.com",
"publicIp": "11.111.111.1"
}
],
"tags": [
{
"key": "Name",
"value": "ssh-22-open"
}
],
"instanceState": "running",
"availabilityZone": "us-east-1b",
"imageId": "ami-4836a123",
"imageDescription": "Amazon Linux AMI 2017.03.0.20170417 x86_64 HVM GP2"
}
},
"service": {
"serviceName": "guardduty",
"detectorId": "3caf4e0aaa46ce4ccbcef949a8785353",
"action": {
"actionType": "NETWORK_CONNECTION",
"networkConnectionAction": {
"connectionDirection": "OUTBOUND",
"remoteIpDetails": {
"ipAddressV4": "198.51.100.0",
"organization": {
"asn": -1,
"isp": "GeneratedFindingISP",
"org": "GeneratedFindingORG"
},
"country": {
"countryName": "United States"
},
"city": {
"cityName": "GeneratedFindingCityName"
},
"geoLocation": {
"lat": 0,
"lon": 0
}
},
"remotePortDetails": {
"port": 22,
"portName": "SSH"
},
"localPortDetails": {
"port": 2000,
"portName": "Unknown"
},
"protocol": "TCP",
"blocked": false
}
},
"resourceRole": "TARGET",
"additionalInfo": {
"unusualProtocol": "UDP",
"threatListName": "GeneratedFindingCustomerListName",
"unusual": 22
},
"eventFirstSeen": "2017-10-31T23:16:23Z",
"eventLastSeen": "2017-10-31T23:16:23Z",
"archived": false,
"count": 1
},
"severity": 5,
"createdAt": "2017-10-31T23:16:23.824Z",
"updatedAt": "2017-10-31T23:16:23.824Z",
"title": "99:EC2/Stateless.IntegTest",
"description": "99:EC2/Stateless.IntegTest"
}
}
Custom TAXII Client A, B, C
Splunk Intelligence Management's TAXII Client offers users a convenient method to ingest intelligence from other TAXII services into enclaves into the Splunk Intelligence Management Platform. This enables users to normalize intelligence from STIX-TAXII supported tools and leverage high-fidelity Indicators within workflow tools.
| Source Type | Premium Intel |
|---|---|
| Update Type | Feed-style
|
| Update Frequency | 15 mins |
| Setup time | 10 mins |
Observables Supported
- All Observables supported by Splunk Intelligence Management.
Requirements
- 3d-party TAXII Server must support these protocol versions:
- TAXII V1.2
- STIX V1.2
- Splunk Intelligence Management User Permissions: Company Administrator role
Getting Started
- Log into the Splunk Intelligence Management Web App.
- Click the Marketplace icon on the left side icon list.
- Click Premium Intel to view the feeds available.
- Click Subscribe on the "TAXII Client A" box.
- Enter the information requested and click Save Credentials & Request Subscription. Use the information in the table to complete the tiles to configure the TAXII client:
Tile Description TAXII server url POLL URL of the TAXII server you want to connect to poll collections from. - NOT the discovery URL.
- NOT the base URL.
- NOT the collections URL.
API Username Username for the TAXII server to connect. API Password Password for the TAXII server to connect. PEM File Contents (optional, rare) Some TAXII servers require .pem keys for authentication. You'll paste your PEM file contents into the field provided in the dialog box when subscribing / configuring. PEM File Format Sample. Collections Comma-separated list of the TAXII server collections you want submitted into Splunk Intelligence Management.
Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.
To connect to a second TAXII client, use the TAXII Client B tile in the Marketplace.
STIX 1.x -> Splunk Intelligence Management Reports Mapping
Understanding Splunk Intelligence Management's Data model
- Splunk Intelligence Management's data-model is Indicator-centric, shifting away from report-centric.
- Prior to August 2020, Custom TAXII Client put each entire STIX package in a Splunk Intelligence Management Report Body.
- In August 2020, Custom TAXII Client was updated to create 1 Splunk Intelligence Management Report for each STIX Indicator and each STIX Observable in a given STIX package, to conform to Splunk Intelligence Management's new (as of Aug 2020) Indicator-centric datamodel.
- In late 2021 / early 2022, Custom TAXII Client will be updated to submit indicators into Splunk Intelligence Management's "structured ingest" API ( submit-indicators 2.0 ).
- With the current Custom TAXII Client....:
- the observable / indicator values from your TAXII collections' STIX packages will all end up in Splunk kvstores (or your detection tool of choice) for detection.
- the context found in the STIX Indicator and/or STIX Observable will be pulled into enrichment comments in investigation / case-management tools by Splunk Intelligence Management's case-management tool integrations.
The Mapping
Custom TAXII client creates 1 Splunk Intelligence Management report for ALL of these:
- every STIX Indicator objects in the STIX package's "Indicators" array.
- every CYBOX Observable in the package's "Observables" array.
A Splunk Intelligence Management Report about a STIX Indicator will include:
- Splunk Intelligence Management Report Title = STIX Indicator Title or description.
- Splunk Intelligence Management Report External ID = base64(concatenate(STIX Pkg ID + STIX Indicator ID + Enclave ID))
- Splunk Intelligence Management Report Body contains a Dict:
{ 'indicator_id': <STIX Indicator ID>, 'indicator_title': <STIX Indicator Title or Description>, 'indicator_type': <STIX Indicator.indicator_types[0].value>, 'indicator_confidence': <STIX Indicator.confidence.value.value>, 'indicator_producer': <STIX Indicator.producer.identity.name>, 'indicator_timestamp': <STIX Indicator.timestamp or STIX Indicator.producer.time.produced_time.value>, 'indicator_tlp_color': <STIX Indicator.handling.marking[0].marking_structures[0].color, 'observable': <STIX Indicator.observable.to_dict()> }
A Splunk Intelligence Management Report about a STIX (CYBOX) Observable includes the following:
- Splunk Intelligence Management Report Title = STIX Observable Title or description.
- Splunk Intelligence Management Report External ID = base64(concatenate(STIX Pkg ID + STIX Observable ID + Enclave ID))
- Splunk Intelligence Management Report Body contains a Dict:
{ 'observable_id': <STIX Observable ID>, 'observable_title': <STIX Observable.tltle or STIX Observable.description>, 'observable_object': <STIX Observable.to_dict()> }
Cybersource
This document describes how to set up the Cybersource premium intelligence source in the Splunk Intelligence Management platform.
Cybersource Decision Manager, a VISA solution, helps you optimize your fraud processes through Real-Time Fusion Modeling technology that blends multiple advanced machine learning methods for accurate scoring.
- Source Type: Premium Intel
- Update Type: Query-based
- Time to Install: 10 minutes
Observables Supported
- Domain
- Email Address
- IP
- URL
Requirements
- A subscription to Cybersource, a Visa Solution
- Cybersource API Key
- Cybersource API Secret
- Cybersource Merchant ID
- Splunk Intelligence Management Admin rights are required to activate this Premium Intelligence feed.
Getting Started
- Log into the Splunk Intelligence Management Web App.
- Click the Marketplace icon on the left side navigation bar.
- Choose Premium Intel.
- Click Subscribe on the Cybersource box.
- Enter your Cybersource credentials and click Save Credentials & Request Subscription.
Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.
MISP
This document explains how to set up and use the MISP premium intelligence source in the Splunk Intelligence Management platform.
MISP is a threat intelligence platform for gathering, sharing, storing and correlating IOCs from targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
- Source Type: Premium Intel
- Update Type: Feed-based
- Update Frequency: 15 minutes
- Time to Install: 10 minutes
Observables Supported
- All observables supported by Splunk Intelligence Management.
Requirements
- Your MISP Server URL
- MISP Authentication Key
- Versions supported: 2.4.93 - 2.4.127
- Splunk Intelligence Management Admin rights are required to activate this Premium Intel feed.
Getting Started
After you have retrieved your MISP URL and Auth Keys follow these steps:
- Log into the Splunk Intelligence Management Web App.
- Click the Marketplace icon on the left side icon list.
- Click Premium Intel to view the feeds available.
- Click Subscribe on the MISP box.
- Enter your MISP API key and click Save Credentials & Request Subscription.
Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.
| Trusted community intelligence sources | Malware intelligence sources |
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current
Download manual
Feedback submitted, thanks!