Configure CTIX App in Splunk
CTIX is available as an add-on in Splunk Enterprise and Splunk Cloud. The integration between Splunk and CTIX automates the correlation and enrichment of indicators from Splunk’s notable events. This helps threat intelligence analysts in the effective analysis and enrichment of threat indicators.
This integration with Splunk offers the following capabilities:
Poll threat indicators from CTIX to Splunk.
Configure multiple instances of input data details for polling and updating lookup tables based on tags and saved result sets created in the CTIX application. You can poll the complete data set if Saved Result Set tags are not specified.
Configure multiple instances of input data to add and store different input data in custom lookup tables.
Optionally stores the request parameters and response data about the logs in the index. Logs contain the timestamp information about the threat intel shared or received in Splunk.
Store lookups as Key-Value (KV) pairs instead of CSV enabling storage of large amounts of dynamic data.
Replace IOCs that already exist in the Lookup table. Hence, avoids duplication of IOCs within the same lookup table.
After you configure the add-on, Splunk automatically starts pulling the indicator values from CTIX and updates them in the lookup tables based on the configured Key-Value (KV) store collection. You can configure only one instance of CTIX in Splunk to poll threat intel.
Note
The CTIX in Splunk integration is compatible with Splunk Enterprise 3.0 and the versions above.
Before you Start
Ensure that you have access to the CTIX and Splunk Enterprise applications.
Steps
Create a Rule in CTIX to Poll Threat Intel in Splunk
In CTIX, rules are automated tasks that can execute some actions on a trigger. Create a rule in the CTIX application with the Saved Result Set action to poll threat intel in Splunk.
Before you Start
Ensure that you have the Create Rule, View Rule, and View & Update Rule permissions in CTIX.
Steps
To create a rule, do the following:
Sign in to CTIX.
From Main Menu, select Rules under Actions.
Click New Rule.
Enter a title and key details about the rule as the rule description.
To easily identify and categorize components in CTIX, add tags.
Click Submit.
Define the source and collections for the rule to poll data for Splunk.
Define the condition based on which the rule is triggered.
For more information about defining sources, collections, and conditions, see Automation Rules.
Enter the following to define the action:
Select Save Result Set V3 as the action from the drop-down menu.
The Save Result Set V3 action stores data from the CTIX application and acts as a collection from where Splunk can poll data.
Select CTIX as the application from the drop-down menu.
Select an account to specify the application instance to run the rule.
Select tags to filter data in CTIX.
Click Save.
Generate API Credentials in CTIX
To integrate CTIX in Splunk Enterprise, you require the API credentials of CTIX.
To generate the API credentials in CTIX, do the following:
Sign in to CTIX.
From Administration, select Integration Management, and select CTIX Integrators under THIRD-PARTY DEVELOPERS.
Click Add New.
Enter a name to identify the API integration.
Enter key details in the description for the API integration.
Select an expiration date for the credentials.
CTIX picks the default user for the credentials. You cannot modify the associated user.
Click Generate.
The Access ID, Secret Key, and Endpoint URL values appear on the screen. Retain these values to configure CTIX in Splunk. You cannot see these values after you close this screen.
Click Download to retain a CSV file of the credentials in your system.
Configure CTIX App in Splunk
Configure the CTIX application to poll threat intel in Splunk.
To configure the CTIX application in Splunk, do the following:
Sign in to Splunk Enterprise.
From Apps on the left side of the screen, select Cyware Threat Intelligence eXchange (CTIX).
On the Configuration, select Add on Settings.
Enter the Endpoint URL generated in CTIX in the Base URL.
Enter access ID and secret key values generated in CTIX.
Click Save.
Configure Input Data Details in Splunk
After you configure CTIX in Splunk, you must configure the input data to choose the information you want to poll from CTIX in Splunk.
To configure input data in Splunk, do the following:
Sign in to Splunk.
From Apps on the left side of the screen, select Cyware Threat Intelligence eXchange (CTIX).
On Inputs, click Create New Input.
Enter a unique name for the data input.
Enter the frequency at which Splunk polls threat intel from CTIX in seconds.
Select an index from the drop-down menu to store data in Splunk. An index is a repository that stores all the raw data in Splunk.
Enter the Saved Result Set tags you added while creating the rule in CTIX.
Enter the data fields to fetch threat intel from CTIX. You can choose from the following data fields:
ctix_id
: Displays the unique ID of an indicator in CTIX.indicator_type
: Displays the type of an indicator.indicator
: Displays the value of an indicator.indicator_url
: Displays a URL to view the indicator on CTIX.indicator_subtype
: Displays the sub-type of an indicator.is_deprecated
: Displaystrue
if an indicator is deprecated, else displaysfalse
.score
: Displays the score assigned to an indicator by an analyst.is_false_positive
: Displaystrue
if an indicator is marked as false positive, else displaysfalse
.is_whitelisted
: Displaystrue
if an indicator is marked as an allowed indicator, else displaysfalse
.created_timestamp
: Displays the created date and time of an indicator in CTIX.modified_timestamp
: Displays the modified date and time of an indicator in CTIX.tags
: Displays tags defined on an indicator.sources
: Displays the list of sources that reported the indicator.source_tlp
: Displays the TLP assigned to an indicator.source_score
: Displays the confidence score of an indicator as reported by its source.first_seen
: Displays the first seen date and time of an indicator.last_seen
: Displays the last seen date and time of an indicator.
By default, Write to Index is set to False. Set Write to Index to True to enable the debug mode.
Note
Enable the debug mode temporarily only when you need to verify the request and response.
Enter the KV store collection name to store the polled threat intel.
Click Add.
You can add multiple instances of input data details to segregate the threat intel coming from CTIX into different indexes.
Enrich Splunk Objects Using CTIX
After you configure CTIX and the data fields, Splunk automatically starts enriching threat data objects by polling threat intel based on the defined polling interval.
To view the polled CTIX threat intel, do the following:
Sign in to Splunk.
From Apps on the left side of the screen, select Cyware Threat Intelligence eXchange (CTIX).
On Search, use the search bar to write a query to retrieve the polled threat intel.
For example,
Enter
inputlookup <kvstore_collection_name>
to retrieve threat intel from the selected KV store collection.Enter
index=<index name> sourcetype=ctix
to retrieve threat intel from the selected index where the source is CTIX.Enter
searchctix <ioc-value>
to retrieve enriched data of an indicator.
Select the timeframe of the polled threat intel from the drop-down menu.
Click the search icon or press the enter key on the keyboard.
View CTIX Data in Splunk
The CTIX app provides a dashboard, named CTIX Indicator Dashboard, to graphically display the retrieved indicators data on Splunk.
To view the CTIX Indicator dashboard, do the following:
Sign in to Splunk.
From Apps on the left side of the screen, select Cyware Threat Intelligence eXchange (CTIX).
Go to Dashboards and click the This App's tab.
Click CTIX Indicator Dashboard.
You can view the dashboard that includes widgets to display the indicators data retrieved from CTIX.
The dashboard includes the following widgets:
New Indicators Last 24 hours: Displays the number of indicators ingested into CTIX in the last 24 hours.
New Indicators Last 7 days: Displays the number of indicators ingested into CTIX in the last 7 days.
New Indicators Last 30 days: Displays the number of indicators ingested into CTIX in the last 30 days.
Total IOC Count: Displays the total number of indicators available on CTIX.
Allowed IOC Count: Displays the total number of allowed indicators available on CTIX.
Deprecated IOC Count: Displays the total number of deprecated indicators available on CTIX.
IOC Count Timeline Chart: Displays the number of indicators ingested into CTIX with respect to a specific period of time.
IOC Count by Source: Displays the number of indicators reported by various sources.
Source-based Timeline Chart: Displays the number of indicators reported by various sources with respect to a specific period of time.
IOC Count by Type: Displays the number of indicators reported by the indicator type.
IOC Type-based Timeline Chart: Displays the number of indicators reported by the indicator type with respect to a specific period of time.