Turn on threat matching searches in Splunk Enterprise Security

Note: This documentation topic on threat intelligence applies only to users with access to the threat intelligence management system, and not the threat intelligence management (cloud) system, in Splunk Enterprise Security

Edit threat matching searches that are available in Splunk Enterprise Security to enrich the incoming data in your deployment with threat intelligence. Threat matching searches are searches generated in your network environment with threat intelligence to help analysts investigate threats.

Configuring the threat matching specifications in the UI automatically populates the settings in the [threat match] stanza for the DA-ESS Threat Intelligence module in the inputs.conf configuration file. The threat matching settings are used by the custom search builder to construct the search processing language (SPL) for the threat matching searches.

The events generated by these threat matching searches are tagged for the threat intelligence data model and populate the threat_activity index. As a security analyst, you can review the items in the threat_activity index by selecting Analytics then Security intelligence then Threat intelligence and then Threat findings to find a dashboard to investigate threats.

You can customize the threat matching searches by making the following changes:

  • Add or remove extra data models
  • Change the time interval
  • Change the earliest or latest time
  • Add or remove aggregates
  • Add or remove datasets

Edit threat matching settings to customize threat matching searches

Edit the threat matching settings to generate the SPL for threat matching searches and enrich your data with threat intelligence.

Prerequisite

You must have an administrator role with edit_modinput_threatmatch capabilities to edit the threat matching settings.

Steps

  1. In Splunk Enterprise Security, select Configure and then Intelligence.
  2. In the Threat intelligence management section, select Threat matching.
  3. Use the following table to identify the available threat matching sources and the associated configuration settings for the threat matching searches:
    Setting Description Example
    Source Type of threat matching sources in your deployment. certificate_common_name, certificate_serial, certificate_unit, dest, certificate_organization, domain
    Interval The cron interval at which the search runs. 0,30***
    For more information on cron formats, see Commonly used cron field formats.
    Earliest time Time when the search starts. -45m@m
    Latest time Time when the search completes. +0s
    Match fields Fields to match against to generate threats. All_Certificates.SSL.ssl_issuer_common_nameAll_Certificates.SSL.ssl_subject_common_name
    Status Turn on or turn off the threat matching search Activate / Turn on, Deactivate / Turn off

    You can expand the threat matching source to view the SPL generated for the threat matching search.

  4. Select the threat matching source to edit the threat matching settings.
    This opens the Edit threat matching configuration dialog box.

    Note: You can only turn on, turn off, or edit existing threat matching sources using the UI. You can't use the editor to create new threat matching sources.

    Use the following table to edit the specific configuration settings for your threat matching search:

    Setting Description
    Name Name of the threat matching stanza.
    Source Name of the threat matching source or the threat artifact.
    Earliest time Time when the threat matching search starts.
    Latest time Time when the threat matching search completes.
    Interval Cron interval at which the threat matching search runs.
    Max aggregate values Maximum number of aggregate values for the threat matching search.
    Datasets Datasets currently included in the threat matching search.

    You can delete any existing dataset from the threat matching search by selecting the X next to the specific dataset. You can also edit any existing dataset included in the threat matching search by selecting the pencil icon next to the specific dataset. You can turn on or turn off an existing dataset by selecting Activate / Turn on or Deactivate / Turn off for the dataset. You can also remove specific fields against which you want to match in the threat matching searches.

Add a new dataset to the threat matching search

  1. In Splunk Enterprise Security, select Configure and then Intelligence.
  2. In the Threat intelligence management section, select "Threat matching.
  3. Locate a threat matching source and then select the pencil icon in the table to edit it.
  4. Select Add dataset to add more datasets to the threat matching search.
    This opens the Add a dataset dialog box.
  5. Select the data model for the dataset from the Data model drop-down menu to specify the source of the dataset.
    For example: Alerts, Authentication, Certificates, Change analysis, Inventory, Database, and so on.
  6. Select the object using the Object drop-down menu to specify the type of object used from the data model.
    For example: If you select Authentication as the data model type, you can select various objects such as Failed_Authentication, Default_Authentication, Successful_Authentication, Insecure_Authentication, and so on.
  7. Specify the boolean clause to filter out events for the threat matching search in the Event filter field. The boolean clause translated to the where clause within the search SPL.
  8. Specify the Match field to select the fields to match on and generate threats. For example: source, sourcetype, and so on.
  9. Select Add aggregate to identify the datasets that the search can retrieve from the data model.
  10. Specify the alias for the field to rename the aggregate.
    For example, you can rename the aggregate All_Certificates.src to the alias src; or, you can rename the aggregate All_Certificates.dest to the alias dest while specifying the settings for the threat matching search.
  11. Select Save dataset to build the threat matching search.

Turn off individual threat artifacts

To prevent individual threat artifacts on a threat list from creating findings if they match events in your environment, turn off individual threat artifacts. If you have command line access to the Splunk Enterprise Security search head, you can turn off individual threat artifacts using the REST API. See Threat Intelligence API reference in the Splunk Enterprise Security REST API Reference.