www.nextron-systems.com
Open in
urlscan Pro
91.250.66.252
Public Scan
Submitted URL: https://www.bsk-consulting.de/2015/09/06/splunk-threat-intel-ioc-integration-via-lookups/
Effective URL: https://www.nextron-systems.com/2015/09/06/splunk-threat-intel-ioc-integration-via-lookups/
Submission: On May 09 via manual from US — Scanned from DE
Effective URL: https://www.nextron-systems.com/2015/09/06/splunk-threat-intel-ioc-integration-via-lookups/
Submission: On May 09 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://www.nextron-systems.com/
<form role="search" method="get" id="searchform" class="searchform" action="https://www.nextron-systems.com/">
<div>
<label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s">
<input type="submit" id="searchsubmit" value="Search">
</div>
</form>Text Content
* Why Nextron
* Products
* L
* Scanners
* THORAPT Scanner
* Use Cases
* Videos
* THOR CloudOn-Demand Live Forensic Scans
* Microsoft Defender ATP
* THOR ThunderstormTHOR as a Web Service
* THOR LiteFree IOC and YARA Scanner
* Online Training
* Download
* Compare our Scanners
* Endpoint Agents
* AuroraYour Custom Sigma-based EDR Agent
* Videos
* R
* Management & Analysis
* ASGARDManagement Center
* Videos
* ASGARDAnalysis Cockpit
* Videos
* Feeds
* VALHALLAYARA Rule Feed
* Solutions
* Solutions Matrix
* Security Validation
* Accelerated Forensic Analysis
* Supercharged Detection
* Large Scale Incident Response
* Partners
* Become a Partner
* Authorized Resellers
* Company
* About Us
* Jobs
* Certificates & Keys
* Blog
* Get Started
Select Page
* Why Nextron
* Products
* L
* Scanners
* THORAPT Scanner
* Use Cases
* Videos
* THOR CloudOn-Demand Live Forensic Scans
* Microsoft Defender ATP
* THOR ThunderstormTHOR as a Web Service
* THOR LiteFree IOC and YARA Scanner
* Online Training
* Download
* Compare our Scanners
* Endpoint Agents
* AuroraYour Custom Sigma-based EDR Agent
* Videos
* R
* Management & Analysis
* ASGARDManagement Center
* Videos
* ASGARDAnalysis Cockpit
* Videos
* Feeds
* VALHALLAYARA Rule Feed
* Solutions
* Solutions Matrix
* Security Validation
* Accelerated Forensic Analysis
* Supercharged Detection
* Large Scale Incident Response
* Partners
* Become a Partner
* Authorized Resellers
* Company
* About Us
* Jobs
* Certificates & Keys
* Blog
* Get Started
SPLUNK THREAT INTEL IOC INTEGRATION VIA LOOKUPS
Sep 6, 2015 | Command Line, Security Monitoring, Splunk, Tutorial
Today most security teams have access to a lot of different information sources.
On the one hand they collect log data from different sources and try to
correlate them in a useful way in so-called SIEM systems. On the other hand they
receive threat information from different sources like APT reports, public or
private feeds or derive those indicators from their own investigations and
during incident response.
Therefore one of the main tasks of security monitoring today is to combine these
different data sources, which means to apply the threat intel information to the
data that is already available in SIEM systems or scan for it on-demand using
tools like my free IOC scanner LOKI or our APT Scanner THOR.
In this article I would like to describe a method to apply threat intel
information to log data in Splunk using simple lookup definitions.
I recently integrated two different threat intel receivers in my free IOC
scanner LOKI. One of them fetches all IOC (indicator of compromise) elements
from AlienVault’s Open Threat Exchange platform OTX and saves them to a
subfolder in the LOKI program folder in order to be initialized during startup.
This weekend I added a new option called “–siem” that instructs the receiver to
generate a CSV file with header line and the correct format for a lookup
definition in Splunk.
Example – Threat Intel Feed OTX Receiver (LOKI)
The resulting file for the hash IOCs looks like this:
Threat Intel Hash CSV for Splunk Lookup
Using the “-o” parameter you are able to select an output folder. I chose the
folder for the lookup definitions in the search app, which is
“$SPLUNK_HOME/etc/apps/search/lookups”.
Threat Intel CSV Files in Splunk Search App Lookup Folder
After saving the output files to this directory we can select the CSV file in
the lookup definition settings dialog (Settings > Lookups > Lookup definitions >
Add new). I named the lookup “otxhash”.
Threat Intel CSV File Lookup Definition in Splunk
Now we can apply this lookup to all log data that contains file hash information
like Antivirus logs, THOR and LOKI scan results or in this case the logs of
Microsoft Sysmon.
Windows Sysmon Log Data in Splunk
Using the free Add-on for Microsoft Sysmon all the log fields will be extracted
automatically. You will see a field named “Hash” that can be used in our search
definitions to allow a direct lookup.
Windows Sysmon Log Data with Hash Values of Executables
The lookup compares the “Hash” field from the Sysmon event message with the
“hash” field from the OTX threat intel CSV file and sets a new
“threat_description” field with the value of the “description” field from the
CSV.
index=windows_sysmon
| lookup otxhash hash AS Hash OUTPUT description AS threat_description
| search threat_description=*
| table UtcTime,ComputerName,User,Hash,ProcessId,CommandLine,threat_description
After the lookup I search for all entries that have a “threat_description” field
set and display them in a easy-to-read table view. Only entries that had a
“Hash” matching on a “hash” from the CSV will have this new field set. In the
example below I had a match on an unwanted application called “Pantsoff” that I
used in my Lab environment for this POC.
Threat Intel Lookup in Splunk
I would define this search as an “Alert” that runs every 15 minutes and searches
in log data of the last 15 minutes in order to get immediately informed if a
blacklisted executable had been used. (avoid realtime searches/alerts in Splunk)
Furthermore the threat intel receiver should be scheduled via cron in order to
run hourly/daily.
The two other files create by the threat intel receiver contain information on
filenames and C2 server (hostnames, IPs) that can be applied in a similar way.
The only small downer is that Lookups can only be used for “equal” matches and
don’t allow to search for elements that “contain” certain fields of the CSV
file. This is no problem in case of the C2 server definitions but for the
filename definitions, which can be e.g. “AppData\\evil.exe”.
I’ll improve the Threat Intel Receivers in the coming weeks and add the “–siem”
option to the MISP Receiver as well.
I hope you enjoyed the article and found it inspiring even if you don’t use
Splunk or the other mentioned tools.
Besides: I am working on a RESTful web service with the working title “TRON”
that allows to query for threat intel indicators and supports different
comparison modes including including the missing “contains” supporting OpenIOC
and STIX as input files. It is not ready yet but I’ll inform you as soon as
there is something to show.
Follow me on Twitter via @Cyb3rOps
NEWSLETTER
New blog posts
(~1 email/month):
Subscribe
* Subscribe to RSS Feed
* Follow on Twitter
* Follow on LinkedIn
Search for:
RECENT BLOG POSTS
* ASGARD v2.13 Release April 13, 2022
* Aurora Lite Agent v1.0 Release April 4, 2022
* Antivirus Event Analysis Cheat Sheet v1.9.0 February 6, 2022
BLOG CATEGORIES
* Alert (12)
* APT (6)
* ASGARD Analysis Cockpit (6)
* ASGARD Management Center (16)
* Aurora (1)
* Bug Report (1)
* Check Point (1)
* Command Line (9)
* LOKI (4)
* Newsletter (63)
* Nextron (23)
* Partner (2)
* Press (1)
* Security Fix (5)
* Security Monitoring (18)
* Service Notice (1)
* Sigma (3)
* SPARK (14)
* SPARK Core (5)
* Splunk (2)
* THOR (50)
* THOR Cloud (2)
* THOR Lite (12)
* Thunderstorm (3)
* Tool (18)
* Tutorial (22)
* VALHALLA (5)
* Video (3)
* YARA (16)
BLOG ARCHIVE
Blog Archive Select Month April 2022 (2) February 2022 (1) January 2022 (2)
December 2021 (5) November 2021 (2) October 2021 (3) September 2021 (1)
August 2021 (2) June 2021 (4) May 2021 (2) April 2021 (1) March 2021 (5)
February 2021 (1) January 2021 (2) December 2020 (3) November 2020 (1)
October 2020 (2) August 2020 (2) July 2020 (4) June 2020 (1) May 2020 (5)
April 2020 (1) March 2020 (2) January 2020 (2) December 2019 (3) November
2019 (1) October 2019 (3) August 2019 (1) July 2019 (1) June 2019 (1) May
2019 (1) April 2019 (1) February 2019 (3) January 2019 (2) December 2018
(4) November 2018 (2) October 2018 (1) September 2018 (1) August 2018 (3)
July 2018 (1) June 2018 (5) May 2018 (3) March 2018 (1) February 2018 (2)
January 2018 (1) September 2017 (1) July 2017 (1) June 2016 (1) May 2016
(1) April 2016 (1) December 2015 (1) October 2015 (2) September 2015 (1)
March 2015 (2) February 2015 (2) November 2014 (1) October 2014 (1)
September 2014 (2) August 2014 (1) May 2014 (2) February 2014 (1) January
2014 (1) June 2013 (1) April 2013 (1) October 2012 (1) September 2012 (1)
August 2012 (3) July 2012 (1) June 2012 (3) May 2012 (1) April 2012 (2)
March 2012 (2)
Nextron Systems GmbH
Bruchstrasse 8, 63128 Dietzenbach, Germany
Email: info@nextron-systems.com
Phone: +49 6074 – 728 42 36
Fax: +49 3212 – 147 84 25
Imprint | Privacy Policy
RESOURCES
* Manuals
* Whitepapers
* Customer Portal
* GitHub
* YouTube
NEWS
* Blog
* Newsletter
* RSS Feed
* Twitter
* LinkedIn
Nextron Systems GmbH © 2022. All Rights Reserved.
Privacy preferences
We use cookies and similar technologies on our website and process personal data
about you, such as your IP address. We also share this data with third parties.
The data processing can take place with your consent or on the basis of our
legitimate interest. You can change and revoke your consent within our privacy
policy at any time with effect for the future. To do so, simply click on "Change
privacy settings" or "Revoke consents" in our privacy policy.
● Essential● Services● Statistic
Accept all
Continue without consent
Individual privacy preferences
Privacy policy • Imprint
WordPress Cookie Plugin by Real Cookie Banner