Skip to main content

Cyware Threat Intelligence eXchange

Configure Intel Exchange App in Splunk

Cyware Threat Intelligence eXchange (CTIX) is available as an add-on app in Splunk Enterprise and assists in the integration of CTIX in Splunk. The integration between Splunk Enterprise and CTIX automates the correlation and enrichment of indicators from Splunk’s notable events. This helps threat intelligence analysts in the effective analysis and enrichment of threat indicators.

This integration with Splunk offers the following capabilities:

  • Poll threat indicators from CTIX to Splunk.

  • Configure multiple instances of input data details for polling and updating lookup tables based on tags and saved result sets created in the CTIX application. You can poll the complete data set if Saved Result Set tags are not specified.

  • Configure multiple instances of input data to add and store different input data in custom lookup tables.

  • Optionally stores the request parameters and response data about the logs in the index. Logs contain the timestamp information about the threat intel shared or received in Splunk.

  • Store lookups as Key-Value (KV) pairs instead of CSV enabling storage of large amounts of dynamic data.

  • Replace IOCs that already exist in the Lookup table. Hence, avoids duplication of IOCs within the same lookup table.

After you configure the add-on, Splunk automatically starts pulling the indicator values from CTIX and updates them in the lookup tables based on the configured Key-Value (KV) store collection. You can configure only one instance of CTIX in Splunk to poll threat intel.

Note

The CTIX in Splunk integration is compatible with Splunk Enterprise 3.0 and the versions above.

Before you Start

Ensure that you have access to the CTIX and Splunk Enterprise applications.

In CTIX, rules are automated tasks that can execute some actions on a trigger. Create a rule in the CTIX application with the Saved Result Set action to poll threat intel in Splunk.

Before you Start

Ensure that you have the Create Rule, View Rule, and View & Update Rule permissions in CTIX.

Steps

To create a rule, do the following:

  1. Sign in to CTIX.

  2. From Main Menu, select Rules under Actions.

  3. Click New Rule.

  4. Enter a title and key details about the rule as the rule description.

  5. To easily identify and categorize components in CTIX, add tags.

  6. Click Submit.

  7. Define the source and collections for the rule to poll data for Splunk.

  8. Define the condition based on which the rule is triggered.

    For more information about defining sources, collections, and conditions, see Automation Rules.

  9. Enter the following to define the action:

    1. Select Save Result Set V3 as the action from the drop-down menu.

      The Save Result Set V3 action stores data from the CTIX application and acts as a collection from where Splunk can poll data.

    2. Select CTIX as the application from the drop-down menu.

    3. Select an account to specify the application instance to run the rule.

    4. Select tags to filter data in CTIX.

  10. Click Save.

To integrate CTIX in Splunk Enterprise, you require the API credentials of CTIX.

To generate the API credentials in CTIX, do the following:

  1. Sign in to CTIX.

  2. From Administration, select Integration Management, and select CTIX Integrators under THIRD-PARTY DEVELOPERS.

  3. Click Add New.

  4. Enter a name to identify the API integration.

  5. Enter key details in the description for the API integration.

  6. Select an expiration date for the credentials.

    CTIX picks the default user for the credentials. You cannot modify the associated user.

  7. Click Generate.

    The Access ID, Secret Key, and Endpoint URL values appear on the screen. Retain these values to configure CTIX in Splunk. You cannot see these values after you close this screen.

  8. Click Download to retain a CSV file of the credentials in your system.

Configure the CTIX application to poll threat intel in Splunk.

To configure the CTIX application in Splunk, do the following:

  1. Sign in to Splunk Enterprise.

  2. From Apps on the left side of the screen, select Cyware Threat Intelligence eXchange (CTIX).

  3. On the Configuration, select Add on Settings.

  4. Enter the Endpoint URL generated in CTIX in the Base URL.

  5. Enter access ID and secret key values generated in CTIX.

  6. To encrypt the data shared between the Splunk and CTIX servers and secure the connection, select Verify TLS Certificate.

  7. Click Save.

After you configure CTIX in Splunk, you must configure the input data to choose the information you want to poll from CTIX in Splunk.

To configure input data in Splunk, do the following:

  1. Sign in to Splunk.

  2. From Apps on the left side of the screen, select Cyware Threat Intelligence eXchange (CTIX).

  3. On Inputs, click Create New Input.

  4. Enter a unique name for the data input.

  5. Enter the frequency at which Splunk polls threat intel from CTIX in seconds.

  6. Select an index from the drop-down menu to store data in Splunk. An index is a repository that stores all the raw data in Splunk.

  7. Enter the Saved Result Set tags you added while creating the rule in CTIX.

  8. Enter the data fields to fetch threat intel from CTIX. You can choose from the following data fields:

    • ctix_id: Displays the unique ID of an indicator in CTIX.

    • indicator_type: Displays the type of an indicator.

    • indicator: Displays the value of an indicator.

    • indicator_url: Displays a URL to view the indicator on CTIX.

    • indicator_subtype: Displays the sub-type of an indicator.

    • is_deprecated: Displays true if an indicator is deprecated, else displays false.

    • score: Displays the score assigned to an indicator by an analyst.

    • is_false_positive: Displays true if an indicator is marked as false positive, else displays false.

    • is_whitelisted: Displays true if an indicator is marked as an allowed indicator, else displays false.

    • created_timestamp: Displays the created date and time of an indicator in CTIX.

    • modified_timestamp: Displays the modified date and time of an indicator in CTIX.

    • tags: Displays tags defined on an indicator.

    • sources: Displays the list of sources that reported the indicator.

    • source_tlp: Displays the TLP assigned to an indicator.

    • source_score: Displays the confidence score of an indicator as reported by its source.

    • first_seen: Displays the first seen date and time of an indicator.

    • last_seen: Displays the last date and time an indicator was seen.

  9. Select True for Write to Index to enable adding large volumes of data to the selected index.

    Warning

    Setting Write to Index to True may incur additional costs for you due to extra and unaccounted data being fetched. Cyware recommends you mark Write to Index as False.

  10. Enter the KV store collection name to store the polled threat intel.

  11. Click Add.

    You can add multiple instances of input data details to segregate the threat intel coming from CTIX into different indexes.

After you configure CTIX and the data fields, Splunk automatically starts enriching threat data objects by polling threat intel based on the defined polling interval.

To view the polled CTIX threat intel, do the following:

  1. Sign in to Splunk.

  2. From Apps on the left side of the screen, select Cyware Threat Intelligence eXchange (CTIX).

  3. On Search, use the search bar to write a query to retrieve the polled threat intel.

    For example,

    • Enter inputlookup <kvstore_collection_name> to retrieve threat intel from the selected KV store collection.

    • Enter index=<index name> sourcetype=ctix to retrieve threat intel from the selected index where the source is CTIX.

    • Enter searchctix <ioc-value> to retrieve enriched data of an indicator.

  4. Select the timeframe of the polled threat intel from the drop-down menu.

  5. Click the search icon or press the enter key on the keyboard.

The CTIX app provides a dashboard, named CTIX Indicator Dashboard, to graphically display the retrieved indicators data on Splunk.

To view the CTIX Indicator dashboard, do the following:

  1. Sign in to Splunk.

  2. From Apps on the left side of the screen, select Cyware Threat Intelligence eXchange (CTIX).

  3. Go to Dashboards and click the This App's tab.

  4. Click CTIX Indicator Dashboard.

You can view the dashboard that includes widgets to display the indicators data retrieved from CTIX.

Splunk_Dashboard.png

The dashboard includes the following widgets:

  • New Indicators Last 24 hours: Displays the number of indicators ingested into CTIX in the last 24 hours.

  • New Indicators Last 7 days: Displays the number of indicators ingested into CTIX in the last 7 days.

  • New Indicators Last 30 days: Displays the number of indicators ingested into CTIX in the last 30 days.

  • Total IOC Count: Displays the total number of indicators available on CTIX.

  • Allowed IOC Count: Displays the total number of allowed indicators available on CTIX.

  • Deprecated IOC Count: Displays the total number of deprecated indicators available on CTIX.

  • IOC Count Timeline Chart: Displays the number of indicators ingested into CTIX with respect to a specific period of time.

  • IOC Count by Source: Displays the number of indicators reported by various sources.

  • Source-based Timeline Chart: Displays the number of indicators reported by various sources with respect to a specific period of time.

  • IOC Count by Type: Displays the number of indicators reported by the indicator type.

  • IOC Type-based Timeline Chart: Displays the number of indicators reported by the indicator type with respect to a specific period of time.

Changelog

17 December, 2024

The Cyware Threat Intelligence eXchange (CTIX) app is now upgraded to version 3.2.1 in Splunk Cloud, ensuring compatibility by addressing vetting requirements and upgrading to Splunk Python SDK 2.0.2.