Application for Splunk Enterprise

Similar documents
Integrating Autotask Service Desk Ticketing with the Cisco OnPlus Portal

Set Up and Maintain Customer Support Tools

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Table of Contents. Copyright Symphonic Source, Inc. All rights reserved. Salesforce is a registered trademark of salesforce.

Integrating ConnectWise Service Desk Ticketing with the Cisco OnPlus Portal

User Management Tool 1.6

Salesforce Customer Portal Implementation Guide

Oracle Siebel Marketing and Oracle B2B Cross- Channel Marketing Integration Guide ORACLE WHITE PAPER AUGUST 2014

DocuSign Connect for Salesforce Guide

Note: With v3.2, the DocuSign Fetch application was renamed DocuSign Retrieve.

Adeptia Suite 6.2. Application Services Guide. Release Date October 16, 2014

There are numerous ways to access monitors:

VMware vcenter Log Insight User's Guide

Administration Guide for the System Center Cloud Services Process Pack

Security 8.0 User Guide

Sophos XG Firewall v Release Notes. Sophos XG Firewall Reports Guide v

LiveText for Salesforce Quick Start Guide

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

Monitoring System Status

Sage CRM. Sage CRM 7.3 Mobile Guide

Sisense. Product Highlights.

GETTING STARTED WITH COVALENT BROWSER

Tenable for Google Cloud Platform

DiskPulse DISK CHANGE MONITOR

NetFlow Analytics for Splunk

Review Manager Guide

CTERA Agent for Linux

Copyright EPiServer AB

Big Data Operations Guide for Cloudera Manager v5.x Hadoop

DocuSign for Salesforce Administrator Guide v6.1.1 Rev A Published: July 16, 2015

Getting Started with Clearlogin A Guide for Administrators V1.01

Redtail Integration. Establishing the Redtail Connection. 1. From the Applications dropdown, choose Setup.

SAP Business One mobile app for Android

Scribe Online Integration Services (IS) Tutorial

How To Use Query Console

Asset Track Getting Started Guide. An Introduction to Asset Track

APPLICATION PROGRAMMING INTERFACE

Introduction to Directory Services

Strategic Asset Tracking System User Guide

McAfee Network Security Platform Administration Course

ONCONTACT MARKETING AND CAMPAIGN USER GUIDE V8.1

Secret Server Splunk Integration Guide

Policy Compliance. Getting Started Guide. January 22, 2016

Using Application Insights to Monitor your Applications

TIBCO Spotfire Metrics Modeler User s Guide. Software Release 6.0 November 2013

Salesforce ExactTarget Marketing Cloud Radian6 Mobile User Guide

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

TRIPWIRE PURECLOUD. TRIPWIRE PureCloud USER GUIDE

CTERA Agent for Mac OS-X

Sage CRM. 7.2 Mobile Guide

Creating and Using Forms in SharePoint

ONCONTACT MARKETING AND CAMPAIGN USER GUIDE V8.1

Table of Contents. Search Results.21. Equipment Change Request...10 Equipment Removal Request...11 Disposed..12 Not found 12

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

GETTING STARTED GUIDE. 1.3 September D. Polycom RealAccess

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

User's Guide. Product Version: Publication Date: 7/25/2011

IBM Information Server

OneLogin Integration User Guide

WebSphere Business Monitor

UTILIZING CLOUDCHECKR FOR SECURITY

DirectTrack CrossPublication Users Guide

Secret Server Qualys Integration Guide

Juniper Networks Management Pack Documentation

Cloudera Manager Training: Hands-On Exercises

DB Audit Expert 3.1. Performance Auditing Add-on Version 1.1 for Microsoft SQL Server 2000 & 2005

Quick Start Guide.

Qlik REST Connector Installation and User Guide

CCBill Traffic Manager

VMware vcenter Log Insight User's Guide

WildFire Cloud File Analysis

INTRODUCTION TO ATRIUM... 2 SYSTEM REQUIREMENTS... 2 TECHNICAL DETAILS... 2 LOGGING INTO ATRIUM... 3 SETTINGS... 4 NAVIGATION PANEL...

SAS BI Dashboard 4.3. User's Guide. SAS Documentation

K7 Business Lite User Manual

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

This guide provides step by step instructions for using the IMF elibrary Data - My Data area. In this guide, you ll learn how to:

Cyberoam Virtual Security Appliance - Installation Guide for XenServer. Version 10

Informatica Cloud & Redshift Getting Started User Guide

License Management App 2.1 Administration and User Guide

Content Inspection Features

User Guide. Making EasyBlog Your Perfect Blogging Tool

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

Cloudfinder for Office 365 User Guide. November 2013

VMware vrealize Operations for Horizon Administration

Integrating HP Insight Management WBEM (WMI) Providers for Windows with HP System Insight Manager

Maximizer CRM 12 Winter 2012 Feature Guide

Taleo Enterprise. Taleo Reporting Getting Started with Business Objects XI3.1 - User Guide

Policy Guide Access Manager 3.1 SP5 January 2013

Altiris IT Analytics Solution 7.1 SP1 from Symantec User Guide

SharePoint AD Information Sync Installation Instruction

PORTAL ADMINISTRATION

End User Monitoring. AppDynamics Pro Documentation. Version Page 1

Orientation Course - Lab Manual

Database Forms and Reports Tutorial

Oracle Primavera. P6 Dashboards Demo Script

Name Services (DNS): This is Quick rule will enable the Domain Name Services on the firewall.

VMware Identity Manager Administration

About the VM-Series Firewall

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online

Transcription:

Application for Splunk Enterprise User Guide Document Version 1.77 28 October 2015 10004-01 EN Rev. A

2015 ThreatConnect, Inc. ThreatConnect is a registered trademark of ThreatConnect, Inc. UNIX is a registered trademark of The Open Group. JavaScript is a registered trademark of the Oracle Corporation. Splunk is a registered trademark of Splunk, Inc. Application for Splunk Enterprise 2

TABLE OF CONTENTS OVERVIEW... 5 Key Features... 5 GETTING STARTED... 5 Prerequisites... 5 Installation... 6 ThreatConnect API User Creation... 6 THE THREATCONNECT APP FOR SPLUNK... 8 App Setup and Configuration... 8 Owner Configuration... 9 Setting Up Alerts... 11 Option 1... 11 Option 2 (Legacy)... 11 Basic Alert Scenario... 11 The ThreatConnect Dashboard... 13 The Indicator Dashboard... 16 The Diamond Dashboard... 17 The Threat Lookup Screen... 19 The Reports Screen... 19 The DB Data Menu... 20 The Search Screen... 21 Workflow: Event Actions... 21 Application for Splunk Enterprise 3

Workflow: Field Actions... 23 The ThreatConnect App Logs... 24 Indicator Logs... 24 Group Logs... 27 Tag Logs... 28 Application for Splunk Enterprise 4

OVERVIEW The ThreatConnect Application (App) for Splunk Enterprise gives Splunk users the ability to leverage customizable threat intelligence integrated into Splunk from their ThreatConnect accounts. ThreatConnect provides the ability to aggregate threat intelligence from multiple sources (i.e., open source, commercial, communities, and internally created), analyze and track identified adversary infrastructure and capabilities, and put that refined knowledge to work in Splunk, identifying threats targeting organizations. Key Features Multi-source threat intelligence collection (open source, commercial, communities, internal research) Transparent threat intelligence aggregated, confidence weighted, and applied to triggered Splunk alerts Automatic threat intelligence indicator updates Prioritized events based on criticality and confidence scores, relationships to known threat types and groups, past incidents, and tags Insights on a threat s capability, infrastructure, and past incidents affecting users or members of trusted communities represented using the Diamond Model for Intrusion Analysis History of how a Threat has affected users networks using the Diamond Dashboard GETTING STARTED Prerequisites Users will need an active ThreatConnect Application Programming Interface (API) account to leverage the ThreatConnect App for Splunk Enterprise. Users without a current subscription to ThreatConnect, who wish to start a trial of the ThreatConnect App for Splunk with a live connection to the latest customizable threat intelligence data, please inquire at: http://app.threatconnect.com/enterprisetrial.xhtml. Once an Organization has been licensed for API access, its users will need to create an API User within the Organization prior to Splunk interfacing with the ThreatConnect API. For detailed steps on creating an API User, please see the API User Creation section in the ThreatConnect Application Programming Interface User Guide. Application for Splunk Enterprise 5

Installation Users can download the ThreatConnect App for Splunk Enterprise from http://apps.splunk.com, or they can directly install the App from the Find more apps online link in Apps Manage Apps. For more information on installing Splunk Apps, reference the Splunk documentation located at: http://docs.splunk.com/documentation. ThreatConnect API User Creation A ThreatConnect API User is created from within the ThreatConnect Web application for the instance being used. For the ThreatConnect Cloud edition this is: https://app.threatconnect.com. To Create an API User: 1. Log in with an Organization Administrator account. 2. On the top navigation bar, click on the Account drop-down menu and select Org Settings (Figure 1). The Organization Settings screen will appear with the MEMBERSHIP tab highlighted (Figure 2). Figure 1 Figure 2 Application for Splunk Enterprise 6

3. Click on the + Create API User button, and the API User Administration pop-up screen will appear (Figure 3). Figure 3 4. Fill in the information requested, as shown in Table 1, and copy the Access ID and Secret Key to a safe location. Note: It is critical to save the Secret Key, as this will not be available again. If it is lost, the existing API User will need to be deleted, and a new API User will need to be created. Do not share the Access ID or Secret Key as these are your credentials and will be used to track API usage limits. Table 1 Parameter Description First Name Last Name Pseudonym The First Name of the user that will appear in posts, data modifications, and data creation within ThreatConnect The Last Name of the user that will appear in posts, data modifications, and data creation within ThreatConnect The Pseudonym of the user that will appear in posts, data modifications, and data creation within ThreatConnect Application for Splunk Enterprise 7

THE THREATCONNECT APP FOR SPLUNK App Setup and Configuration URL: https://[splunk_hostname]/en-us/manager/threatconnectapp/t/local/threatconnectapp/setup?action=edit After installing the ThreatConnect App for Splunk Enterprise, the application setup must be completed before accessing the App. To properly configure the App, fill in each of the form text boxes with the appropriate data from the API User Creation section, as shown in Figure 4. Figure 4 Application for Splunk Enterprise 8

Default Organization: This is the user s Organization as defined during account creation within the ThreatConnect application. API Base URL: The ThreatConnect Public Cloud API can be accessed at https://api.threatconnect.com. Users with a Private Cloud or On-Premises edition of ThreatConnect were provided with their instance URL during their initial setup and installation. API Access ID: The API Access ID corresponds with a user s ThreatConnect API account s Access ID. API Secret Key: The API Secret Key corresponds with a user s ThreatConnect API account key, accessible during account creation within the user s ThreatConnect organization. Activity Log: The Activity Log checkbox enables activity logging in the ThreatConnect Platform for any API write actions. Result Limits: These are the maximum value of results that can be returned in one query without pagination. The maximum value currently supported with the ThreatConnect API for returned results without pagination is 500. Unless there is a special requirement on a user s network, it is recommended this value be left at 500. Enable Proxy: This checkbox enables proxy-server support. Enable Debug: This checkbox enables debug logging for the ThreatConnect App for Splunk Enterprise. After the setup is complete, the ThreatConnect App for Splunk Enterprise will be accessible. When accessing the App, the default dashboard will not show any populated results, which is expected, until matched data is available. The ThreatConnect App for Splunk Enterprise will begin matching against a set of defined Common Information Model (CIM) data models upon setup. For custom matching, Alerts must be created to specify which log and event data within Splunk to match against. It is recommended that users create specific Alerts for their environments. Owner Configuration URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_owner_config After setting up the app, users may want to specify filters for the intelligence and indicators imported from ThreatConnect. The Owner Configuration page allows users to selectively choose what is imported into Splunk for alerting and context and how often it is updated. To create filters, provide criteria in each of the fields depicted on the Owner Configuration screen (Figure 5). Application for Splunk Enterprise 9

Figure 5 Select Owner: Select the Owner (Source, Community, or a user s ThreatConnect Organization s data) in which the download setting needs to be updated. Group Types: Select the ThreatConnect Group types to download for use in the Diamond Dashboard. Available options are Adversary, Incident, and Threat. Indicator Types: Select the Indicator types to download for use by the ThreatConnect App for Splunk Enterprise. Available options are: Address, Email, File, Host, and URL. Tag Filters: Add any Tags to filter indicators that are available to the ThreatConnect App for Splunk Enterprise. If Tags are provided, only indicators that have those Tags present will be downloaded into the App. Rating Filter: Select an indicator threat-rating threshold. In ThreatConnect, Threat ratings have a value of 0-5 points. Only indicators that meet the filter s threshold will be downloaded into the App. Confidence Filter: Select an indicator confidence threshold. In ThreatConnect, Confidence ratings have a value of 0-100%. Only indicators that meet the filter s threshold will be downloaded into the App. Cron Schedule: The schedule for the Indicator download is defined here. The recommended download period is once every 24 hours. More information on Cron settings can be found at: http://en.wikipedia.org/wiki/cron. Application for Splunk Enterprise 10

Setting Up Alerts Any search that returns a set of indicators can be saved as an alert that automatically searches for matching indicators from ThreatConnect. The search can return any single indicator type or multiple indicator types that are supported by the ThreatConnect API. There are two options to implement these automated ThreatConnect queries once the search has been created: Option 1 Once the search command is returning valid indicator results, the results need to be sent to the ThreatConnect script; provide the indicator field names in comma-separated format in the ioc_map option (e.g., sourcetype=cisco:asa action=drop stats count by src_ip where count > 500 rename src_ip as indicator tcalert ioc_map= src_ip victim_field= dest_ip ). The victim field argument is optional but highly recommended when possible. Option 2 (Legacy) 1. Use the Splunk built-in rename command to rename the indicator field to indicator (e.g., sourcetype=cisco:asa action=drop stats count by src_ip where count > 500 rename src_ip as indicator). 2. Once the search command is returning valid indicator results with a field name of indicator, the results need to be sent to the ThreatConnect script (e.g., sourcetype=cisco:asa action=drop stats count by src_ip where count > 500 rename src_ip as indicator tcalert). It is recommended that the search be run over the past hour of logs, and that the alert be set to run every hour. If any matches are found, a log entry will be created in the ThreatConnect App log, which can be viewed from the App s ThreatConnect Dashboard or by executing a search on the ThreatConnect sourcetype (e.g., sourcetype=threatconnect match=true). All non-matching calls to the ThreatConnect script will also create a log entry, which can be viewed by searching the ThreatConnect sourcetype (e.g., sourcetype=threatconnect match=false). The non-matching events are not displayed on the dashboard. Basic Alert Scenario In this example, a company has a requirement to monitor Internet traffic sourced from China that is coming into its network. The search could be as simple as: sourcetype=cisco:asa iplocation src_ip search Country=China rename src_ip as indicator. However, this could create a lot of results and trigger too many lookups. We can filter these results down to all traffic sourced from China that is not blocked by the firewall by adding an additional filter. The new search would be: sourcetype=cisco:asa action=permit iplocation src_ip search Country=China. This Application for Splunk Enterprise 11

search will now return less results. The search can be filtered further to exclude duplicate IP addresses by using the stats command to get the count of events by src_ip. To limit the results even further, a threshold can be added to the search using the where command. The new search would then be: sourcetype=cisco:asa action=permit iplocation src_ip search Country=China stats count by src_ip where count > 50.Now that the search results have been filtered to a comfortable level, they can be passed to the ThreatConnect script. 1. Ensure that the ' tcalert ioc_map= src_ip victim="dest_ip"' has been appended to the search (Figure 6). Figure 6 2. Click on the Save As button, select Alert from the drop-down menu, and the Save As Alert screen will appear (Figure 7). Note: The alert title can be any value; however, it is recommended to add a meaningful name for ease of recognition. Adding a description will also help others understand the purpose of the search. Figure 7 3. Ensure that the search time period is equal to the frequency of the Alert so that results are not missed. 4. Once the parameters on this screen have been entered, click the Next button to continue configuring the Alert (Figure 8). Application for Splunk Enterprise 12

Figure 8 5. Finalize the Alert configuration and click the Save button. This is a basic sample of creating a search to run as an Alert. There are unlimited combinations of searches that can be created to return indicators that are meaningful to threat analysis. These searches can then be configured as an Alert to automatically match indicators from ThreatConnect. All that users require is knowledge of their security logs and an understanding of what type of events can return useful data for threat analysis. The ThreatConnect Dashboard URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_view_main The ThreatConnect Dashboard provides an overview of matches between events in Splunk and indicator data in ThreatConnect. The first row of Single Valued Results provides a count of matched indicators with trending for the past 30 days. These indicators are separated by Indicator Type (Figure 9). Figure 9 Application for Splunk Enterprise 13

The drilldown action for these results directs the user to the Splunk search that generated the count. Note that the count deduplicates the indicator by each API lookup, so that the number of events might be different depending on the number of communities to which the indicator belongs. See The Search Screen section for more information on viewing the generated logs from matched indicators. The second row provides a timeline view of Matched Indicator by Type (Figure 10), which offers an oversight of indicator activity in Splunk. Figure 10 The view at the bottom displays the latest matched indicators in a paginated table (Figure 11). This table has a built-in form that allows dynamic filtering on indicator data. Figure 11 Note: A matching event may display several times if the matched indicator has several owners in ThreatConnect. In cases such as these, a row will be displayed for each owner of the indicator. Each column is described below: _time: This column is stored internally in UTC format. It is translated to human-readable UNIX time format when Splunk Enterprise renders the search results (the very last step of search-time event processing). Indicator: This column lists the indicator that matched between local logs and ThreatConnect. This value is a hyperlink that will open a page to the indicator s Details screen on the ThreatConnect website. Application for Splunk Enterprise 14

Victim: This column represents the bottom of the Diamond Model. This value is determined by the user while setting up alerts or automatically when searching the Data Models. Trigger: The trigger field is classified into three types: alert, auto, or manual. The alert trigger indicates that the matched event was found using a Splunk search configured as an alert. The auto trigger indicates that the matched event was found using the automatic Data Model search. The manual trigger indicates that the event was either matched using a workflow action, or that the indicator was searched using the manual search option. Rating: This column lists the criticality rating assigned by the indicator s owner within ThreatConnect. This value is on a scale of 0-5 points, with 5 being the most critical. The ratings are color highlighted by their value (0-2.99 no highlight; 3-4 amber; and > 4 red). Confidence: This column lists the confidence rating assigned by the indicator s owner within ThreatConnect. This value is on a scale of 0-100%. Owner: This column displays the owner of the indicator within ThreatConnect, which is, typically, a particular source, community, or the organization s own private data. Tags: This column displays any tags associated with the matched indicator by the owner. If multiple owners exist for a matched indicator, only tags created by the owner listed in the same row will be displayed in this column. Groups: This column display any groups associated with the matched indicator by the owner, as well as the group type (e.g., Incidents, Emails, Threats, Emails, Adversaries, Documents, or Signatures). If multiple owners exist for a matched indicator, only groups created by the owner listed in the same row will be displayed in the Groups (Types) column. Application for Splunk Enterprise 15

The Indicator Dashboard URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_view_indicators The Indicator Dashboard provides an additional view of the matched indicator data. This dashboard focuses on the groupings of the matched indicators themselves and provides some statistics on the most-recent indicators available from ThreatConnect. The first row of this timeline view (Figure 12) displays Matched Indicators by Owners (i.e., Source, Community, and Organization). Figure 12 The second row displays additional paginated tables for matched indicators (Figure 13). From left to right, these are the top matched indicators (with a count of times observed for each indicator), the top matched group names, and the top matched tags. Figure 13 Application for Splunk Enterprise 16

The Diamond Dashboard URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_diamond_dashboard This page allows users to lookup an Adversary, Incident, or Threat group from a specified owner in ThreatConnect. A Diamond Model profile of the group is given to include all known capabilities, infrastructure, and related incidents. Indicators associated to the group are matched using specified CIM Data Models. The first section of the dashboard allows the user to query a group with specified data models (Figure 14). Figure 14 The query parameters are specified by the following fields: Data Models: Specified CIM Data Models to match events against the group s indicators. Available data models include: Alerts, Email, Intrusion Detection, Malware, Network Resolutions, Network Sessions, Network Traffic, and Web. Owner: Select the Owner (i.e., Source, Community, or Organization) in which the group exists. Type: Select the Group Type (i.e., Adversary, Incident, or Threat). Name: Select the specific Group by name. Application for Splunk Enterprise 17

The second section of the dashboard shows a Diamond breakout of the queried group (Figure 15). The Adversary/Threat table shows Adversary and Threat associations to the queried group. The Associations table shows all associated Documents, Emails, Incidents, and Signatures to the queried group. The Capability table shows all known associated Common Vulnerabilities and Exposures (CVE) and malware files by MD5 hash. The Infrastructure table shows all Address, Email, Host, and URL indicators associated to the queried group. Figure 15 The third section of the dashboard shows a timeline and table of CIM events matched to the queried group (Figure 16). Figure 16 Application for Splunk Enterprise 18

The Threat Lookup Screen URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_view_manual_lookup This screen allows manual lookup of indicators against the ThreatConnect API (Figure 17). The indicator type will be automatically detected. This manual lookup will be logged to the App logs and will be displayed on the App Dashboard. The Reports Screen Figure 17 URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_ioc_download_report A few canned reports are created for monitoring ThreatConnect alert queries and for tracking how many of those queries hit the ThreatConnect API (Figure 18). User-defined custom reports can be added for more detailed views into the ThreatConnect data. Figure 18 Application for Splunk Enterprise 19

The DB Data Menu The DB Data drop-down menu provides additional screens for each ThreatConnect indicator type, independent of matches to events or logs within Splunk, allowing users to view statistics for each. The screens are formatted identically, and one screen exists for each indicator type: Address Indicators DB Data Page URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_view_indicator_addresses Email Addresses DB Data Page URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_view_indicator_emailaddresses File Indicators DB Data Page URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_view_indicator_files Host Indicators DB Data Page URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_view_indicator_hosts URL Indicators DB Data Page URL: https://[splunk_hostname]/en-us/app/threatconnectapp/tc_view_indicator_urls The first row displays graphical representations for the total number of indicators from ThreatConnect of the specified type (Figure 19). There are two charts: one for Indicator type by owner and another by rating. Figure 19 Application for Splunk Enterprise 20

The second row contains two tables that display the last 10 created and updated indicators (Figure 20). Figure 20 The final row displays a paginated table of all the indicators of that type pulled from ThreatConnect (Figure 21). The Search Screen Figure 21 URL: https://[splunk_hostname]/en-us/app/threatconnectsplunk/search Workflow: Event Actions Using the Search screen while in the ThreatConnect App provides additional features for threat analysis. The built-in Splunk Event Actions feature will display a link for any indicator field that follows the Common Information Model (CIM) standard naming convention. By selecting this link, the indicator displayed will be queried using the ThreatConnect API, and any matching results will be displayed in a results table (Figure 22). Application for Splunk Enterprise 21

Figure 22 Application for Splunk Enterprise 22

Workflow: Field Actions If the results fields do not follow the CIM naming convention, an indicator can still be queried in the ThreatConnect API by using the Field Actions menu. By selecting this link, the indicator displayed will be queried using the ThreatConnect API, and any matching result will be displayed in a results table (Figure 23). Figure 23 Application for Splunk Enterprise 23

The ThreatConnect App Logs The ThreatConnect App logs can be searched just like any other log in Splunk. The App logs are formatted in JavaScript Object Notation (JSON) and are easily readable by humans and machines. Indicator Logs All indicators that are passed to the ThreatConnect script are logged. Figure 24 displays a matching result in its native, collapsed form. Figure 24 Clicking on the plus sign (+) symbol in the Event column will expand the event to display additional data. Figure 25 displays a fully expanded matching-indicator result in the ThreatConnect App log. All the indicator data is nested in the indicator section of the event. All the search information, including the search string that created this log entry, is nested in the search section of the event. A key field in this data is search.method, which indicates if the search was performed manually by using the ThreatConnect Manual Lookup, by Workflow Action, or by an alert. Each field from the log below is described as follows: app: This field notates the ThreatConnect App as the source of the log. Indicator: This field is nested with data on the matched indicator from ThreatConnect s API. indicator.confidence: This field displays the owner-specific confidence value on the indicator provided from ThreatConnect s API. indicator.dateadded: This field displays the date the indicator was added to the owner within ThreatConnect. indicator.description: This field includes the owner-specific default-description attribute of the indicator from ThreatConnect. indicator.id: This field displays the indicator s id value from ThreatConnect. indicator.indicator: This field specifies the actual indicator value from ThreatConnect. Application for Splunk Enterprise 24

indicator.lastmodified: This field notates the time the indicator was last modified within ThreatConnect. indicator.owner: This field is nested with data on the indicator s owner from ThreatConnect. indicator.owner.id: This field displays the owner s id value from ThreatConnect. indicator.owner.name: This field includes the name of the indicator s owner within ThreatConnect. indicator.owner.type: This field specifies the type of owner. indicator.rating: This field notates the owner-specific criticality rating of the indicator. indicator.source: This field displays the owner-specific default-source attribute value for the indicator from ThreatConnect. indicator.email: This field is present if the matched indicator is an email address. Its value will be the email address indicator. indicator.hostname: This field is present if the matched indicator is a host name. Its value will be the host indicator. indicator.ip: This field is present if the matched indicator is an IP address. Its value will be the IP address indicator. indicator.md5: This field is present if the matched indicator is an MD5. Its value will be the MD5 hash indicator. indicator.sha1: This field is present if the matched indicator is a SHA1. Its value will be the SHA1 hash indicator. indicator.sha256: This field is present if the matched indicator is a SHA256. Its value will be the SHA256 hash indicator. indicator.text: This field is present if the matched indicator is a URL. Its value will be the URL indicator. indicator.type: This field specifies the type of indicator that was automatically determined by the ThreatConnect script. indicator.weblink: This field displays a unique URL link to the indicator s Details screen within the ThreatConnect platform. match: A value of True in this field signifies that the searched indicator matched a known indicator in ThreatConnect. A value of False in this field signifies that the searched indicator did not match a known indicator in ThreatConnect. search: This field is nested with data relevant to the search made within the ThreatConnect App. search.indicator: This field will be identical to the indicator.indicator on an event where match=true. Events that have match=false will not have an indicator section. Application for Splunk Enterprise 25

search.method: A value of alert in this field indicates that the log event was triggered by an alert. A value of manual in this field indicates that the log event was generated from a ThreatConnect Manual Lookup or a Workflow Action. search.owners: This field notates the ThreatConnect owners that were searched for the value in search.indicator. search.string: This field includes the search string that created this event. search.type: This field specifies the type of search performed in the ThreatConnect App. The values can be indicators, groups, or tags. timestamp: This field displays the timestamp for this logged event. uuid: This field displays the universally unique id value for this logged event. The uuid field can be used to join indicator events with matching tag and group events for the same search. Figure 25 Application for Splunk Enterprise 26

Figure 26 displays a fully expanded indicator event that did not match during the ThreatConnect script execution. The key field to note is match: False. This information is useful in tuning the alert to filter out additional indicators. It also provides a view into what is defined as a relevant indicator to trigger an alert. Figure 26 Group Logs Each time a matching indicator is found, the ThreatConnect script performs a query to find any matching groups that are related to the matching indicator. If matching groups are found, the group data will be written to the App log file. Figure 27 displays a fully expanded log entry for a group. This group can be associated with the matching indicator log entry using the uuid field. Each field unique to the group log is described as follows: group: This field is nested with data relevant to a group associated to a matched indicator. group.dateadded: This field displays the date on which an owner-specific group was added to ThreatConnect. group.id: This field displays the unique id of the group within ThreatConnect. group.name: This field specifies the name of the group within ThreatConnect. group.ownername: This field displays the name of the owner of the group within ThreatConnect. group.type: This field specifies the type of group. group.weblink: This group displays a URL link to the group s Details screen within ThreatConnect. Application for Splunk Enterprise 27

Figure 27 Tag Logs Each time a matching indicator is found, the ThreatConnect App performs a query to find any matching tags that are related to the matching indicator. If matching tags are found, the tag data will be written to the App log file. Figure 28 displays a fully expanded log entry for a tag. This tag can be associated with the matching indicator log entry using the uuid field. Each field unique to the group log is described as follows: tag: This field is nested with data relevant to a tag associated to a matched indicator. tag.name: This field displays the name of the tag within ThreatConnect. tag.weblink: This field displays a URL link to the tag s Details screen within ThreatConnect. Application for Splunk Enterprise 28

Figure 28 Application for Splunk Enterprise 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information