2. Download Observables to Splunk

Updated 1 month ago by Steven Chamales

Requirements.

Performance Steps.

Plan your modinputs and intel workflows.

  • recommend sketch out ideas in notepad before creating workflows and inputs.
  • Use the modinput config examples below for ideas to get you started.

Create Prioritized Indicators Intel Workflows that yield subsets of observables you want to use for detection in Splunk.

Create modinputs, following the Install Guide's instructions.

  • TruSTAR recommends using 1 intel workflow in each modinput.

Modinput & Intel Workflow Ideas.

Input using Workflows

Acme user has setup a workflow to prioritize indicators. The workflow takes care of the sources, score filtering, IOC filtering and whitelisting.

Input Name

Enclave IDs

Indicator Types

Expiration

Prioritized_Indicators

<workflow Enclave ID>

All

Value depends on what type of IOCs the workflow is centered around

ex: 180 for hashes

7 for IPs

Input 1

Acme wants to watch for any Indicators that they have already investigated and determined are malicious. Acme stores these Indicators in a Vetted Indicators Enclave in TruSTAR.

Input Name

Enclave IDs

Indicator Types

Expiration

Vetted_Indicators

<vetted indicators Enclave ID>

All

360 days

Input 2

Acme is extremely concerned about file hashes reported on by Intelligence-X. They want to constrain this input to file hashes only, and only from that one Intelligence Source. 

Acme should make an intel workflow that uses Intelligence X as a source, then create an input similar to this:

Input Name

Enclave IDs

Indicator Types

Expiration

Intel-X_Source

<workflow enclave ID>

SHA1, SHA256, MD5

180 days

Input 3

Acme wants to alert on IP addresses reported on by Intelligence Sources A,B and C, but only if the reporting is timestamped within the last 7 days. 

Acme should create a Prioritized Indicator Intel Workflow that uses Sources A, B, and C as workflow sources, selects for IP addresses only, then configure this input:  

Input Name

Enclave IDs

Indicator Types

Expiration

Malicious_IPs

<workflow enclave ID>

IP

7 days

Input 4

Acme is a member of a sharing group named CyberSleuths. Acme wants to download all Indicators from that sharing group Enclave into Splunk and retain them for 90 days.  

Input Name

Enclave IDs

Indicator Types

Expiration

CyberSleuth_Intel

<CyberSleuthEnclave_ID>

All

90 days

Input 5

Acme Corporation runs a script that copies TruSTAR Reports and Indicators that meet certain criteria to an Enclave named ACME_CURATED that then contains very high-signal data. Acme wants to configure an input that copies all Indicator types from that Enclave and retains them for 180 days. 

Input Name

Enclave IDs

Indicator Types

Expiration

Curated_Intel

<AcmeCuratedEnclave_ID>

All

180 days

More Examples of Inputs.

You can reduce false-positive alerts by exercising fine-grained control over the Indicators that the app brings into the detection set. The table below suggests some inputs filtering Indicators.

Input Name

Enclave

Indicator Types

Tags

Expire

investigated_ip

Investigations

IP

malicious, detection

7

investigated_hash_email

Investigations

Email, MD5, SHA256

malicious, detection

180

investigated_phish_urls

Investigations

URL

malicious, phish

90

investigated_phish_ips

Investigations

IP

malicious, phish

7

isac_vetted_ip

Sharing Group Vetted Indicators

IP

7

isac_vetted_email_hash

Sharing Group Vetted Indicators

Email, MD5, SHA1, SHA256

180

isac_vetted_url

Sharing Group Vetted Indicators

URL

60

premium_sources_ipP

Premium IP workflow

IP or all (workflow handles filtering)

7


How Did We Do?