Splunk
CTIX ingests threat data from a multitude of sources in different formats.
Splunk allows security teams to communicate with the Splunk application to gather events and alert logs from endpoints and gain organization-wide visibility over cyber threats.
You can send high-fidelity IOC from CTIX to Splunk to perform a lookup in the Splunk tool. You can also enrich IOCs observed in the Splunk application from CTIX. The lookup tables in Splunk enrich your event data by adding field-value combinations. This integration enables analysts to gain more context into the threat data.
The Splunk internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Update Lookup Table | This action updates the lookup table of Splunk to perform a lookup of the IOCs retrieved from Intel Exchange. |
Splunk is available as an out-of-the-box integration in CTIX. To configure Splunk integration with CTIX, do the following:
Upload Lookup Tables in CTIX Format on Splunk
Create lookup tables in CTIX required format on Splunk so that you can update the lookup using CTIX rules. Here is the format of the CSV file that you have to create for CTIX and upload to Splunk. See Splunk documentation for details.
Criticality,"Cyware Score",Severity,TLP,Type,Value,ip, UNKNOWN,"0.0",UNKNOWN,AMBER,"ipv4-addr","10.0.0.52", UNKNOWN,"0.0",UNKNOWN,AMBER,"ipv4-addr","10.0.0.51", UNKNOWN,"57.5",UNKNOWN,AMBER,"ipv4-addr","127.0.0.1",
Sign in to the Splunk application with the necessary permissions to upload lookup files.
Select Settings -> Lookups to go to the Lookups manager.
In the Actions column, click Add new in Lookup Table Files.
Select a Destination app from the list.
Click Choose File to look for the CSV file to upload.
Enter the destination filename. This is the name the lookup table file will have on the Splunk server. If you are uploading a gzipped CSV file, enter a filename ending in ".gz". If you are uploading a plaintext CSV file, use a filename ending in ".csv".
Click Save.
The Splunk software saves your CSV file in your user directory for the Destination app: $SPLUNK_HOME/etc/users/<username>/<app_name>/lookups/.
Configure Splunk in CTIX
Before you Start
You must have the base URL, user name, and password or the authentication token of your Splunk account.
The user configuring the integration should have View & Update Tool Integration permission.
Use the following steps to configure the app in CTIX:
Sign in to CTIX.
From Administration, open Integration Management and select the Internal Applications under Tool Integrations.
Select Security Information and Event Management System.
Look for Splunk and click on the app.
Click Add Instance to add a Splunk instance.
Enter an instance name for your integration.
Enter the base URL of your Splunk account.
Select any one from the following:
Username/Password: Uses username and password as the authentication credentials.
Authentication Token: Uses username and token as the authentication credentials.
To secure the connection between Splunk and the CTIX server, enable Verify SSL.
Click Save.
Enable Update Lookup Table
After configuring Splunk on CTIX, enable the update Lookup table action in Splunk.
From Administration, open Integration Management and select the Internal Applications under Tool Integrations.
Select Security Information and Event Management System.
Select Splunk.
Click the ellipsis on the top right corner and click Manage.
Click Manage Action(s) and click > of the Update Lookup Table action.
Enable the toggle to update the Lookup tables.
Create a Rule in CTIX to Update Splunk Lookup Tables
In CTIX, rules are automated tasks that can execute some actions on a trigger. Create a rule in the CTIX application to update the lookup tables in Splunk.
From Main Menu, select Rules under Actions.
Click New Rule.
Enter a rule name and a description.
To easily identify and categorize components in CTIX, add tags.
Click Submit.
Set the following optional global conditions for a rule from Basic Details on the left side of the screen:
Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.
Run rule after Enrichment: Rule actions are triggered only after the enrichment and confidence score evaluation are complete.
Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.
Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected and no false positives are included. This option ignores any conditions configured in the rule to remove false positive threat data objects.
Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.
Now define the Sources, Conditions, and Actions for this rule.
In Actions, choose the following:
Actions: Update Lookup Table
Application: Splunk
Account: Choose the Splunk account
Choose the lookup table from Splunk to update.
Choose the field values to update in the Splunk lookup table.
Click Save.
View CTIX Data in Splunk Lookup Tables
You can verify that CTIX data is updated in the Splunk lookup tables. You should know Splunk Query Language to look for information. See Splunk documentation for details.
Sign in to Splunk with appropriate credentials.
Open the Search app, from Splunk Home click Search & Reporting in the Apps panel.
Type SPL queries in the search box to look for the Lookup tables that are updated by CTIX rules.