Enterprise Security Matching
Splunk's Enterprise Security App provides the means of using your threat intelligence data to match against events mapped to standard Splunk models. Refer to the Splunk's documentation on Enterprise Security Workflow for Threat Intelligence as described here: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBC.
ThreatQuotient provides mapping of the threat intelligence data to the standard lookup tables in Splunk Enterprise Security via the saved searches described above. Using the default Threat Generation Searches in Enterprise Security, the ES app will find matches and report those matches in the threat_activity index as described in the link above.
Threat Intelligence data will be added to Enterprise Security using their REST APIs with a threat_key of threatq_indicator. The score for ThreatQ Indicators will be mapped to the Weight attribute in ES. Any updates to the score will be automatically reflected in ES using the periodic saved searches.
The indicator will be updated in ES and put into a disabled state (will no longer be used in further correlation) if the score or status of a ThreatQ indicator changes to a value that is no longer within the parameters configured in the macro settings for ThreatQ Splunk App.
When using the Enterprise Security App, you will not have additional context (sources and adversaries), workflow actions ,and reporting sightings back to ThreatQuotient available to you.
ThreatQ Indicators to Splunk Enterprise Security Lookup Tables
The ThreatQuotient App for Splunk provides support to the Splunk Enterprise Security (ES) customers by making ThreatQ data more accessible using Splunk's native ES lookup tables. The following table provides how ThreatQ data is mapped to the Splunk ES lookup tables.
This data is then available in various ES dashboards.
ThreatQ Indicator Type Mapping to Enterprise Security Lookup Tables
| ThreatQ type | Threat intelligence type |
|---|---|
| CIDR Block | local_ip_intel |
| Email Address | local_email_intel |
| Email Subject | local_email_intel |
| File Name | local_file_intel |
| FQDN | local_domain_intel |
| Fuzzy Hash | local_file_intel |
| GOST Hash | local_file_intel |
| IP Address | local_ip_intel |
| MD5 | local_file_intel |
| Registry Key | local_registry_intel |
| Service Name | local_service_intel |
| SHA-1 | local_file_intel |
| SHA-256 | local_file_intel |
| SHA-384 | local_file_intel |
| SHA-512 | local_file_intel |
| x509 Serial | local_certificate_intel |
| x509 Subject | local_certificate_intel |
| URL | local_http_intel |
| URL Path | local_http_intel |
| Username | local_user_intel |
To view the events and indicators, navigate to Enterprise Security > Security Intelligence > Threat Intelligence.
- Threat Activity: Shows the list of events which are compatible with CIM apps.
- Threat Artifacts: Shows the list of indicators fetched from the ThreatQ.
Saved Searches for Enterprise Security
In addition to the core saved searches, the following saved searches apply for Enterprise Security (ES) customers. The saved searches listed run once a day and map ThreatQ indicators by type to Splunk ES lookup tables as described in the ThreatQ Indicators to Splunk Enterprise Security Lookup Tables section in this topic.
By default, the scheduling of all saved searches for porting Threat Intelligence data from ThreatQ to lookup tables in the ES are disabled. This is because not all users have Enterprise Security App installed. If you have this App installed and want to port the Threat Intelligence data over, you will need to enable the scheduling of these saved searches.
Saved Searches for Mapping ThreatQ Indicator data to Splunk's CIM
| ES Saved Search | Description |
|---|---|
| threatq_update_threat_intelligence_lookup_email_address | Map ThreatQ type 4 indicators to local_email_intel |
| threatq_update_threat_intelligence_lookup_email_subject | Map ThreatQ type 6 indicators to local_email_intel |
| threatq_update_threat_intelligence_lookup_file_name | Map ThreatQ type 9 indicators to local_file_intel |
| threatq_update_threat_intelligence_lookup_fqdn | Map ThreatQ type 10 indicators to local_domain_intel |
| threatq_update_threat_intelligence_lookup_hash | Map ThreatQ type [11,12,15,20,21,22,23] indicators to local_file_intel |
| threatq_update_threat_intelligence_lookup_ip | Map ThreatQ type 14 indicators to local_ip_intel |
| threatq_update_threat_intelligence_lookup_registry | Map ThreatQ type 18 indicators to local_registry_intel |
| threatq_update_threat_intelligence_lookup_service | Map ThreatQ type 19 indicators to local_service_intel |
| threatq_update_threat_intelligence_lookup_certificate_serial | Map ThreatQ type 25 indicators to local_certificate_intel |
| threatq_update_threat_intelligence_lookup_certificate_subject | Map ThreatQ type 26 indicators to local_certificate_intel |
| threatq_update_threat_intelligence_lookup_url | Map ThreatQ type 27 indicators to local_http_intel |
| threatq_update_threat_intelligence_lookup_user | Map ThreatQ type 30 indicators to local_user_intel |