Configure the Intel Exchange App
To enable threat intelligence ingestion and correlation, you must configure both Cyware Intel Exchange and Splunk. This includes creating a rule in Cyware Intel Exchange to expose indicator data, generating API credentials, and configuring the add-on in Splunk to collect and store indicators in KV Store lookups. Ensure that you have access to both Cyware Intel Exchange and Splunk Enterprise applications to configure them.
Compatibility Matrix
The Cyware Intel Exchange Add-on for Splunk is supported on the following environments. Ensure that your Splunk deployment meets these requirements before installing or upgrading the add-on.
Component | Supported Versions/Platforms |
|---|---|
Splunk Enterprise Version | 10.2.x, 10.0.x, 9.4.x, 9.3.x |
Splunk CIM Version | 6.x.x |
Supported Splunk Deployment | Splunk Cloud, Splunk Standalone, Distributed Deployment |
Operating System | Platform Independent |
Browser Versions | Google Chrome, Mozilla Firefox |
Before configuring the Intel Exchange App in Splunk, configure the required rules and generate API credentials in Cyware Intel Exchange. These configurations define the indicator data that Splunk retrieves and enable secure authentication between Intel Exchange and Splunk.
To enable Splunk to retrieve threat intelligence from Intel Exchange, you must create a rule that collects and stores the relevant indicator data. This rule uses the Save Result Set V3 action to generate a result set containing the indicators that the Splunk add-on can poll through the Intel Exchange API.
Before you Start
Ensure that you have the Create Rule, View Rule, and View & Update Rule permissions in Intel Exchange.
Steps
To create a rule, use the following information:
Sign in to Intel Exchange.
From the Main Menu, select Rules under Actions.
Enter a title for the rule and click Add.
Define the source and collections for the rule to poll data for Splunk.
Define the condition based on which the rule is triggered. For more information about defining sources, collections, and conditions, see Automation Rules.
To define the action, use the following information:
Action: Select Save Result Set V3 as the action from the drop-down menu. The Save Result Set V3 action stores data from the Intel Exchange application and acts as a collection from which Splunk can poll data.
Application: Select CTIX as the application to implement the rule.
Account: Select an account to identify the instance to run the rule.
TLP Version: Select a TLP version to implement the rule.
Tags: Select tags to associate with indicators. You can use the same tag while configuring inputs in Splunk to retrieve these indicators.
Click Save.
The Splunk add-on requires API credentials to securely authenticate with Intel Exchange and retrieve indicator data. Generate an Access ID and Secret Key in Intel Exchange to allow the add-on to establish a trusted connection with your Intel Exchange tenant.
Before you Start
Ensure that you have Create and Update permissions for CTIX Integrators.
Steps
To generate the API credentials, follow these steps:
Sign in to Intel Exchange.
Go to Administration > Integration Management, and select CTIX Integrators under THIRD PARTY DEVELOPERS.
Click Add New and use the following information:
Name: Enter a unique name for the API credentials.
Description: Enter key details in the description for the API integration.
Expiry Date: Select an expiry date for open API keys. To apply an expiration date for the credentials, you can select Expires On and select the date. To ensure the credentials never expire, you can select Never Expire.
Click Add New.
Click Download to download the API credentials in CSV format. You can also click Copy to copy the endpoint URL, secret key, and access ID.
Important
It is recommended to download the API credentials since you cannot recover them later.
Install the Cyware Intel Exchange add-on in Splunk to enable ingestion, storage, and correlation of indicators within your Splunk environment. You can install the add-on from the Splunk app catalog by navigating to Apps and searching for Cyware Intel Exchange, or by uploading the installation package.
Steps
To upload the installation package, follow these steps:
Log in to Splunk Web.
Go to Apps > Manage Apps and click Install app from file.
Click Choose File and select the Cyware Intel Exchange installation package (.spl file).
Click Upload. Restart Splunk if prompted.
Alternatively, you can manually extract the installation package (.spl or .tar) into the following directory: $SPLUNK_HOME/etc/apps/
After installing the Cyware Intel Exchange add-on, configure it to connect to your Intel Exchange tenant and define how threat intelligence data is retrieved, stored, and correlated within Splunk.
Before you Start
Ensure that you have the Splunk Common Information Model (CIM) Add-on. This is required to match indicators with the CIM data model events.
Ensure that you have the Splunk Enterprise Security Add-on. This is required to generate and view notable events for correlated indicators.
Ensure that you have the Cyware Intel Exchange instance details, which include Base URL, Access ID, and Secret Key.
Before Splunk can retrieve threat intelligence from Cyware Intel Exchange, you must configure an account in the app. The account configuration stores the connection details required for Splunk to authenticate and communicate with Intel Exchange. You can add multiple accounts and manage them.
Steps
To add an account, follow these steps:
From Apps, go to Cyware Intel Exchange > Configuration > Account.
Click Add and use the following information:
Name: Enter a unique name to identify the Intel Exchange account in Splunk.
Base URL: Enter the base URL of your Intel Exchange instance. This is equivalent to the endpoint URL you generated in the Intel Exchange platform.
Access ID: Enter the access ID generated in Intel Exchange.
Secret Key: Enter the secret key associated with the access ID.
For more information about generating Intel Exchange API credentials, see Generate API Credentials in Intel Exchange.
Click Add. After the account is added, it appears in the Configuration list and is available while creating inputs.
Configure proxy settings if your Splunk environment requires outbound connections to external services to pass through a proxy server. When enabled, the Cyware Intel Exchange add-on routes API requests to Intel Exchange through the configured proxy.
Steps
To configure a proxy, follow these steps:
In Configuration, go to Proxy.
Use the following information:
Enable: Select the Enable checkbox to activate proxy configuration. This is mandatory for the proxy configuration to take effect.
Proxy Type: Select the proxy protocol for outbound connections. By default, http is selected.
Host: Enter the hostname or IP address of the proxy server.
Port: Enter the port number used by the proxy server.
Username: Enter the username for proxy authentication.
Password: Enter the password for proxy authentication.
Remote DNS resolution: Select this checkbox to resolve DNS through the proxy server instead of resolving it locally.
Click Save. The proxy configuration is saved and used for outbound connections.
Configure the logging level for the Cyware Intel Exchange add-on, helping you monitor the add-on’s activity and capture additional details for troubleshooting.
Steps
To configure logging settings, follow these steps:
In Configuration, go to Logging.
Use the following information:
Log Level: Select the logging level from the drop-down list. The selected level determines the amount of information recorded in the logs. You can select from the following options:
INFO: Records general operational information about data collection, such as when operations start and complete.
DEBUG: Records detailed diagnostic information for data collection, including request payloads, execution details, and pagination information.
WARNING: Records potential issues encountered during data collection that do not interrupt execution.
ERROR: Records errors related to configuration, connectivity, or data collection operations.
CRITICAL: Records severe failures that may impact the add-on’s ability to collect data.
Enable Debug Log Ingestion: Select this checkbox to ingest request and response details into the configured Splunk index for debugging and troubleshooting.
Click Save. After saving, the updated logging settings are applied to the Cyware Intel Exchange add-on.
Configure the Splunk connection details required for storing lookup data in the KV Store.
Steps
To configure the Splunk KV Store settings, follow these steps:
In Configuration, go to Splunk KVStore Rest.
Use the following information:
Splunk Username: Enter the username used to authenticate with the Splunk instance.
Splunk Password: Enter the password associated with the Splunk user account.
Splunk Rest Host URL: Enter the hostname or IP address of the Splunk instance. The default value is localhost.
Port: Enter the port used by the Splunk management interface. The default port is 8089.
Note
If the Cyware Intel Exchange app is installed on the local Splunk instance, you typically do not need to modify these settings. Ensure that Splunk Rest Host URL is set to localhost and Port is set to 8089.
If you are using a cluster or distributed environment, ensure that all fields are configured correctly and that port 8089 is open for storing lookups.
Click Save.
Configure how indicators ingested from Cyware Intel Exchange are matched with events in Splunk. Correlation helps identify when Intel Exchange indicators appear in your event data.
You can configure correlation using one of the following methods:
Raw Search
Datamodel Search
Note
You cannot enable both Raw Search and Datamodel Search at the same time. When you change the correlation method, any previously enabled saved search is automatically disabled, and a new saved search is created using the updated configuration.
Configure Correlation Using Raw Search
Use Raw Search to correlate Intel Exchange indicators directly with Splunk events using a custom search query and field mappings.
Steps
To configure using raw search, follow these steps
In Configuration, go to Correlation Settings.
Configure the following settings:
Enabled Indicator Types: Select one or more indicator types that you want to include in correlation searches. For example, Domain, Email.
Search Matching Algorithm: Select Raw Search to perform correlation using a custom Splunk search query.
<Indicator Type>: Target Query: Specify the Splunk search query that will be used to search event data for indicator matches.
Note
The default Target Query for all indicator types is index=main sourcetype!=ctix.
<Indicator Type>: Target Fields: Specify the event fields that should be checked for matches with Intel Exchange indicators.
Note
For more information about default values for target fields, see Default Target Fields for Indicator Types.
Click Save.
Default Target Fields for Indicator Types
Indicator Type | Default Target Fields |
|---|---|
Autonomous System | as_number, as_name |
Domain Name | domain, src, dest |
email, from, to | |
File | filename, hash |
IPv4 | ip, src, dest |
IPv6 | domain, src, dest |
Network Traffic | src_ip, dest_ip, src_port, dest_port |
URL | url, domain |
Windows Registry Key | registry_key, registry_value |
Configure Correlation Using Datamodel Search
Use Datamodel Search to correlate Intel Exchange indicators using a Splunk data model.
Steps
To configure using the datamodel search, follow these steps
In Configuration, go to Correlation Settings.
Configure the following settings:
Enabled Indicator Types: Select the Intel Exchange indicator types that you want to include in correlation searches.
Search Matching Algorithm: Select Datamodel Search to perform correlation using a Splunk data model.
Select Datamodels: Select the Splunk data model that should be used for correlation searches.
Click Save.
Create and manage modular inputs for the Cyware Intel Exchange add-on. A modular input defines how Splunk retrieves threat intelligence data from Intel Exchange, including the account to use, the polling interval, and ingestion settings.
Create Input
Create a new input to configure how the add-on fetches indicators from Intel Exchange platform.
Steps
To create a new modular input, follow these steps:
In Splunk Web, go to Cyware Intel Exchange > Inputs.
Click Create New Input and use the following information:
Name: Enter a unique name to identify the input configuration.
Interval: Specify the time interval (in minutes) for fetching data. The minimum supported value is five minutes.
Account: Select the Intel Exchange account from which the data will be retrieved.
Ingest to Index: Select this option to enable ingestion of the collected data into a Splunk index.
Index: Specify the Splunk index where the data should be ingested. This field is required only if Ingest to Index is enabled.
Lookback Days: Specify the number of past days from which indicators should be fetched during the initial data retrieval. The default value is 30 days. After the initial retrieval, the add-on automatically fetches new data based on the last successful ingestion.
Saved Result Set Tag: Enter comma-separated tags that correspond to the Saved Result Set rule action in Intel Exchange. For more information, see Create a Rule in Intel Exchange to Poll Threat Intel in Splunk.
Fetch Enriched Data: Select this option to retrieve enriched indicator data from Intel Exchange, including additional context such as attributes, relationships, and analysis results obtained from enrichment tools.
Click Save. After the input is created, the add-on begins retrieving data from Intel Exchange according to the configured interval.
Manage Inputs
You can manage existing modular inputs, including enabling, disabling, editing, cloning, or deleting an input.
Steps
To manage existing inputs, follow these steps:
In Splunk Web, go to Cyware Intel Exchange > Inputs.
Locate the input you want to manage and use the following information:
Enable/Disable: Use the Status toggle to enable or disable the input.
Edit: To edit an existing input, click Action > Edit, update the required parameters, and click Update.
Clone: To clone an input, click Action > Clone to create a new input using the same configuration.
Delete: To delete an input, click Action > Delete.