Splunk® Intelligence Management (Legacy)

User Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Other intelligence sources

The following intelligence sources are also supported by Splunk Intelligence Management:

  • AWS GuardDuty
  • Custom TAXII Client A, B, C
  • Cybersource
  • MISP

AWS GuardDuty

This Splunk Intelligence Management integration for Amazon Web Services (AWS) is an AWS Lambda function that is automatically triggered every time a AWS Guard Duty Finding is fired. It converts the Finding into a Splunk Intelligence Management Intelligence Report and submits it to a private Splunk Intelligence Management Enclave.

Features

Requirements

  • AWS Instance with access to Guard Duty and access to configure Lamda functions.

Installation

Download the AWS Guard Duty App Bundle (GD-Station-Lambda.zip) to manually install the Splunk Intelligence Management AWS Guard integration. The bundle contains the lambda functions that you need to trigger Guard Duty events.

Setup and Configuration

  1. Navigate to Lambda > Create Function to begin creating the Lamda function.
  2. Fill out the details:
    • Name: Unique name to identify Lambda function
    • Runtime: Select Python 3.7
    • Role: Select a role which has access to "AWS CloudWatch Logs"
  3. Click Create function.
  4. Select Upload a zip file in Function code and upload the GD-Station-Lambda.zip bundle.
  5. Enter the environment variables:
    • API_KEY – Splunk Intelligence Management API Key (Finding Your API Key)
    • API_SECRET – Splunk Intelligence Management API Secret (Finding Your API Secret)
    • ENCLAVE_ID – Splunk Intelligence Management Enclave ID (Look up Enclave IDs in the Web App)
  6. Change the timeout to 3 mins and the memory (MB) to 128 MB
  7. Change the reserve concurrency to 5
  8. Click Save to save the changes.

Creating a CloudWatch Event Rule

  1. Navigate to Services > Management Tools > Cloud Watch.
  2. Click Rules > Create Rule and choose the details you want for the rule.
  3. Add the Target and select the Lambda function.
  4. Click Configure Details.
  5. Add the name of the configure rule details and click Create rule.


Sample JSON Event

This is what a typical event in JSON format looks like when it is submitted to Splunk Intelligence Management as an Intel Report.

{
  "version": "0",
  "id": "c8c4daa7-a20c-2f03-0070-b7393dd542ad",
  "detail-type": "GuardDuty Finding",
  "source": "aws.guardduty",
  "account": "123456789012",
  "time": "1970-01-01T00:00:00Z",
  "region": "us-east-1",
  "resources": [],
  "detail": {
    "schemaVersion": "2.0",
    "accountId": "123456789012",
    "region": "us-east-1",
    "partition": "aws",
    "id": "99afba5c5c43e07c9e3e5e2e544e95df",
    "arn": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789012/finding/16afba5c5c43e07c9e3e5e2e544e95df",
    "type": "99:EC2/Stateless.IntegTest",
    "resource": {
      "resourceType": "Instance",
      "instanceDetails": {
        "instanceId": "i-05746eb48123455e0",
        "instanceType": "t2.micro",
        "launchTime": 1492735675000,
        "productCodes": [],
        "networkInterfaces": [
          {
            "ipv6Addresses": [],
            "privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
            "privateIpAddress": "172.31.36.156",
            "privateIpAddresses": [
              {
                "privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
                "privateIpAddress": "172.31.36.156"
              }
            ],
            "subnetId": "subnet-d58b7123",
            "vpcId": "vpc-34865123",
            "securityGroups": [
              {
                "groupName": "launch-wizard-1",
                "groupId": "sg-9918a123"
              }
            ],
            "publicDnsName": "ec2-11-111-111-1.us-east-1.compute.amazonaws.com",
            "publicIp": "11.111.111.1"
          }
        ],
        "tags": [
          {
            "key": "Name",
            "value": "ssh-22-open"
          }
        ],
        "instanceState": "running",
        "availabilityZone": "us-east-1b",
        "imageId": "ami-4836a123",
        "imageDescription": "Amazon Linux AMI 2017.03.0.20170417 x86_64 HVM GP2"
      }
    },
    "service": {
      "serviceName": "guardduty",
      "detectorId": "3caf4e0aaa46ce4ccbcef949a8785353",
      "action": {
        "actionType": "NETWORK_CONNECTION",
        "networkConnectionAction": {
          "connectionDirection": "OUTBOUND",
          "remoteIpDetails": {
            "ipAddressV4": "198.51.100.0",
            "organization": {
              "asn": -1,
              "isp": "GeneratedFindingISP",
              "org": "GeneratedFindingORG"
            },
            "country": {
              "countryName": "United States"
            },
            "city": {
              "cityName": "GeneratedFindingCityName"
            },
            "geoLocation": {
              "lat": 0,
              "lon": 0
            }
          },
          "remotePortDetails": {
            "port": 22,
            "portName": "SSH"
          },
          "localPortDetails": {
            "port": 2000,
            "portName": "Unknown"
          },
          "protocol": "TCP",
          "blocked": false
        }
      },
      "resourceRole": "TARGET",
      "additionalInfo": {
        "unusualProtocol": "UDP",
        "threatListName": "GeneratedFindingCustomerListName",
        "unusual": 22
      },
      "eventFirstSeen": "2017-10-31T23:16:23Z",
      "eventLastSeen": "2017-10-31T23:16:23Z",
      "archived": false,
      "count": 1
    },
    "severity": 5,
    "createdAt": "2017-10-31T23:16:23.824Z",
    "updatedAt": "2017-10-31T23:16:23.824Z",
    "title": "99:EC2/Stateless.IntegTest",
    "description": "99:EC2/Stateless.IntegTest"
  }
}

Custom TAXII Client A, B, C

Splunk Intelligence Management's TAXII Client offers users a convenient method to ingest intelligence from other TAXII services into enclaves into the Splunk Intelligence Management Platform. This enables users to normalize intelligence from STIX-TAXII supported tools and leverage high-fidelity Indicators within workflow tools.

Source Type Premium Intel
Update Type Feed-style
  • will poll collections
  • will not query TAXII servers for enrichment about specific indications
Update Frequency 15 mins
Setup time 10 mins

Observables Supported

  • All Observables supported by Splunk Intelligence Management.

Requirements

  • 3d-party TAXII Server must support these protocol versions:
  • TAXII V1.2
  • STIX V1.2
  • Splunk Intelligence Management User Permissions: Company Administrator role

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel to view the feeds available.
  4. Click Subscribe on the "TAXII Client A" box.
  5. Enter the information requested and click Save Credentials & Request Subscription. Use the information in the table to complete the tiles to configure the TAXII client:
    Tile Description
    TAXII server url POLL URL of the TAXII server you want to connect to poll collections from.
    • NOT the discovery URL.
    • NOT the base URL.
    • NOT the collections URL.
    API Username Username for the TAXII server to connect.
    API Password Password for the TAXII server to connect.
    PEM File Contents (optional, rare) Some TAXII servers require .pem keys for authentication. You'll paste your PEM file contents into the field provided in the dialog box when subscribing / configuring. PEM File Format Sample.
    Collections Comma-separated list of the TAXII server collections you want submitted into Splunk Intelligence Management.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

To connect to a second TAXII client, use the TAXII Client B tile in the Marketplace.

STIX 1.x -> Splunk Intelligence Management Reports Mapping

Understanding Splunk Intelligence Management's Data model

  • Splunk Intelligence Management's data-model is Indicator-centric, shifting away from report-centric.
  • Prior to August 2020, Custom TAXII Client put each entire STIX package in a Splunk Intelligence Management Report Body.
  • In August 2020, Custom TAXII Client was updated to create 1 Splunk Intelligence Management Report for each STIX Indicator and each STIX Observable in a given STIX package, to conform to Splunk Intelligence Management's new (as of Aug 2020) Indicator-centric datamodel.
  • In late 2021 / early 2022, Custom TAXII Client will be updated to submit indicators into Splunk Intelligence Management's "structured ingest" API ( submit-indicators 2.0 ).
  • With the current Custom TAXII Client....:
    • the observable / indicator values from your TAXII collections' STIX packages will all end up in Splunk kvstores (or your detection tool of choice) for detection.
    • the context found in the STIX Indicator and/or STIX Observable will be pulled into enrichment comments in investigation / case-management tools by Splunk Intelligence Management's case-management tool integrations.

The Mapping

Custom TAXII client creates 1 Splunk Intelligence Management report for ALL of these:

  • every STIX Indicator objects in the STIX package's "Indicators" array.
  • every CYBOX Observable in the package's "Observables" array.

A Splunk Intelligence Management Report about a STIX Indicator will include:

  • Splunk Intelligence Management Report Title = STIX Indicator Title or description.
  • Splunk Intelligence Management Report External ID = base64(concatenate(STIX Pkg ID + STIX Indicator ID + Enclave ID))
  • Splunk Intelligence Management Report Body contains a Dict:
    { 
        'indicator_id':           <STIX Indicator ID>,
        'indicator_title':        <STIX Indicator Title or Description>, 
        'indicator_type':         <STIX Indicator.indicator_types[0].value>,
        'indicator_confidence':   <STIX Indicator.confidence.value.value>,
        'indicator_producer':     <STIX Indicator.producer.identity.name>,
        'indicator_timestamp':    <STIX Indicator.timestamp or STIX Indicator.producer.time.produced_time.value>,
         'indicator_tlp_color':   <STIX Indicator.handling.marking[0].marking_structures[0].color,
         'observable':            <STIX Indicator.observable.to_dict()>   
    }
    

A Splunk Intelligence Management Report about a STIX (CYBOX) Observable includes the following:

  • Splunk Intelligence Management Report Title = STIX Observable Title or description.
  • Splunk Intelligence Management Report External ID = base64(concatenate(STIX Pkg ID + STIX Observable ID + Enclave ID))
  • Splunk Intelligence Management Report Body contains a Dict:
    { 
        'observable_id':      <STIX Observable ID>, 
        'observable_title':   <STIX Observable.tltle or STIX Observable.description>, 
        'observable_object':  <STIX Observable.to_dict()> 
    }
    

Cybersource

This document describes how to set up the Cybersource premium intelligence source in the Splunk Intelligence Management platform.

Cybersource Decision Manager, a VISA solution, helps you optimize your fraud processes through Real-Time Fusion Modeling technology that blends multiple advanced machine learning methods for accurate scoring.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to Install: 10 minutes

Observables Supported

  • Domain
  • Email Address
  • IP
  • URL

Requirements

  • A subscription to Cybersource, a Visa Solution
  • Cybersource API Key
  • Cybersource API Secret
  • Cybersource Merchant ID
  • Splunk Intelligence Management Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side navigation bar.
  3. Choose Premium Intel.
  4. Click Subscribe on the Cybersource box.
  5. Enter your Cybersource credentials and click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

MISP

This document explains how to set up and use the MISP premium intelligence source in the Splunk Intelligence Management platform.

MISP is a threat intelligence platform for gathering, sharing, storing and correlating IOCs from targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Observables Supported

  • All observables supported by Splunk Intelligence Management.

Requirements

  • Your MISP Server URL
  • MISP Authentication Key
  • Versions supported: 2.4.93 - 2.4.127
  • Splunk Intelligence Management Admin rights are required to activate this Premium Intel feed.

Getting Started

After you have retrieved your MISP URL and Auth Keys follow these steps:

  1. Log into the Splunk Intelligence Management Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel to view the feeds available.
  4. Click Subscribe on the MISP box.
  5. Enter your MISP API key and click Save Credentials & Request Subscription.

Splunk Intelligence Management will validate the integration within 48 hours and send an email when the integration has been enabled.

Last modified on 21 April, 2022
PREVIOUS
Trusted community intelligence sources
  NEXT
Malware intelligence sources

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters