2. Download Observables to Splunk
Requirements.
- install & configure TruSTAR Unified, per Install Guide
Performance Steps.
Plan your modinputs and intel workflows.
| |
Create Prioritized Indicators Intel Workflows that yield subsets of observables you want to use for detection in Splunk. | |
Create modinputs, following the Install Guide's instructions.
|
Modinput & Intel Workflow Ideas.
Input using Workflows
Acme user has setup a workflow to prioritize indicators. The workflow takes care of the sources, score filtering, IOC filtering and whitelisting.
Input Name | Enclave IDs | Indicator Types | Expiration |
Prioritized_Indicators | <workflow Enclave ID> | All | Value depends on what type of IOCs the workflow is centered around ex: 180 for hashes 7 for IPs |
Input 1
Acme wants to watch for any Indicators that they have already investigated and determined are malicious. Acme stores these Indicators in a Vetted Indicators Enclave in TruSTAR.
Input Name | Enclave IDs | Indicator Types | Expiration |
Vetted_Indicators | <vetted indicators Enclave ID> | All | 360 days |
Input 2
Acme is extremely concerned about file hashes reported on by Intelligence-X. They want to constrain this input to file hashes only, and only from that one Intelligence Source.
Acme should make an intel workflow that uses Intelligence X as a source, then create an input similar to this:
Input Name | Enclave IDs | Indicator Types | Expiration |
Intel-X_Source | <workflow enclave ID> | SHA1, SHA256, MD5 | 180 days |
Input 3
Acme wants to alert on IP addresses reported on by Intelligence Sources A,B and C, but only if the reporting is timestamped within the last 7 days.
Acme should create a Prioritized Indicator Intel Workflow that uses Sources A, B, and C as workflow sources, selects for IP addresses only, then configure this input:
Input Name | Enclave IDs | Indicator Types | Expiration |
Malicious_IPs | <workflow enclave ID> | IP | 7 days |
Input 4
Acme is a member of a sharing group named CyberSleuths. Acme wants to download all Indicators from that sharing group Enclave into Splunk and retain them for 90 days.
Input Name | Enclave IDs | Indicator Types | Expiration |
CyberSleuth_Intel | <CyberSleuthEnclave_ID> | All | 90 days |
Input 5
Acme Corporation runs a script that copies TruSTAR Reports and Indicators that meet certain criteria to an Enclave named ACME_CURATED that then contains very high-signal data. Acme wants to configure an input that copies all Indicator types from that Enclave and retains them for 180 days.
Input Name | Enclave IDs | Indicator Types | Expiration |
Curated_Intel | <AcmeCuratedEnclave_ID> | All | 180 days |
More Examples of Inputs.
You can reduce false-positive alerts by exercising fine-grained control over the Indicators that the app brings into the detection set. The table below suggests some inputs filtering Indicators.
Input Name | Enclave | Indicator Types | Tags | Expire |
investigated_ip | Investigations | IP | malicious, detection | 7 |
investigated_hash_email | Investigations | Email, MD5, SHA256 | malicious, detection | 180 |
investigated_phish_urls | Investigations | URL | malicious, phish | 90 |
investigated_phish_ips | Investigations | IP | malicious, phish | 7 |
isac_vetted_ip | Sharing Group Vetted Indicators | IP | 7 | |
isac_vetted_email_hash | Sharing Group Vetted Indicators | Email, MD5, SHA1, SHA256 | 180 | |
isac_vetted_url | Sharing Group Vetted Indicators | URL | 60 | |
premium_sources_ipP | Premium IP workflow | IP or all (workflow handles filtering) | 7 |