Integrate a Splunk Enterprise Security On-Premises Device

Configure a Splunk Enterprise Security on-premises device to pull IOCs from Threat Command.

The following table shows device-specific integration characteristics:

CharacteristicDescription
IOC typesDomains, IP addresses, and URLs.
IOC group limitationEach IOC group can contain only one type of IOC. For multiple types, create multiple IOC groups.
Device IOC limitThe device is limited to this amount of IOCs:- CSV: 500,000- TAXII: 40,000

To integrate the device, perform these steps (described in the following sections):

  1. Add the device to the Threat Command virtual appliance.
  2. Configure the device to pull IOCs from Threat Command.

Add a Splunk Enterprise Security on-premises device

The procedure to add the device to Threat Command is different depending on the version of the Threat Command virtual appliance in your environment. To determine which version is running, see Determine the Version of Virtual Appliance.

Add the on-premises device

Add the device in virtual appliance v3.9

Prerequisites:

  • The Threat Command virtual appliance web interface is configured and you can access it.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. From an internet browser, navigate to https://<virtual appliance IP address>
  2. Log in to the virtual appliance using the web access username and password.
  3. From the Devices page, click Devices (Pull).
  4. Click Add new device.
  5. In the Devices (Pull) screen, set up the new device:
    1. Type a user-defined, unique device name.
    2. Select the device type.
    3. Click Create.
  6. Verify that the new device was added:
    1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
    2. From the main menu, select Automation > Integrations.
      If this window is already open, refresh it by selecting Automation > Integrations from the menu.
      The new device is displayed in the On-Premises tab.
      TC
Add the device in virtual appliance v4.0

Prerequisites:

  • You have the credentials to access the Threat Command virtual appliance web interface.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation > Integrations.
  3. From the Integrations page, click On-Premises.
  4. Click Add new device.
  5. In the Add New On-Premises Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.

Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

When selecting the device in Step 6, it is important to select the CSV or TAXII device, according to your operating environment.

Configure a Splunk Enterprise Security device to pull IOCs

After a device has been added to the Threat Command virtual appliance, you must enable it to pull IOCs from Threat Command.

Configuration for on-premises devices

When configuring an on-premises device, it is important to know which version of the Threat Command virtual appliance is running in your environment. This will affect which Rapid7 URL is displayed in the Device Details screen and also which URL to copy into the device management console.

tc

When running version 4.0 or later, the Legacy URL should be used only with Rapid7 support.

To determine which version of the virtual appliance is running, see Determine the version of virtual appliance.

Prerequisites

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group

You must repeat the following procedure for each IOC group to pull into the device.

The procedure is different depending on whether the Splunk instance is using CSV or TAXII. Proceed to the relevant section:

  • Splunk ES – CSV
    For CSV, you must know whether the IOC group contains IP addresses or URLs and domains. To determine this, click the IOC group name in the Threat Command Integrations page.

  • Splunk ES - TAXII
    For TAXII, port 9000 is required.
    When editing an IOC group for TAXII encoding, IOCs are only pulled from the time of the edit. To pull earlier IOCs, create a new IOC group.

Splunk Enterprise Security – CSV

  1. From Threat Command, copy the Splunk Enterprise Security IOC group URL:

    1. From the Threat Command main menu, select Automation > Integrations.
    2. From the On-Premises  device list, select the Splunk Enterprise Security (CSV) device. 
    3. From the far right on an IOC group row, click the link icon.
      temporary placeholder
      The IOC Group URL  dialog is displayed.
    4. From the IOC Group URL dialog, copy the URL:
      • For virtual appliance v4.0 or later: Use the IOC Group URL.
      • For virtual appliance v3.9 or earlier: Use the Legacy URL.

  2. Log in to the Splunk Enterprise Security management console.

  3. Navigate to Enterprise Security > Configure > Data Enrichment > Threat Intelligence Downloads.  
    Current IOC pulls are displayed: 
    temporary placeholder 

  4. Click New.

  5. In the Threat Intelligence Download Settings  screen, type the following values:

    FieldValue to typeDescription
    NameA user-defined nameThis name is displayed in the Threat Intelligence screen. It can be used to search for IOCs.
    TypethreatlistType “threatlist” in lowercase letters.
    DescriptionA user-defined descriptionThis description is displayed in the Threat Intelligence screen.
    URLURL of the IOC group with the real IP address of the Threat Command virtual appliance.
     For example: https://10.0.0.230:8080/splunkESGroup    		Paste this value from the Threat Command Device Details screen.
    For virtual appliance v4.0 or later: Use the IOC Group URL.

    For virtual appliance v3.9 or earlier: Use the Legacy URL.
    Be sure to replace [APPLIANCE_IP/HOST] with the actual IP address or hostname of the virtual appliance.
    Weight1Type the value 1.
    Interval43200Type the value 43200.
    Post argumentsLeave blank.
    Maximum ageLeave blank.

  6. In the Parsing Options section of the Threat Intelligence Download Settings  screen, type the following values, depending whether the IOC group contains IP addresses or whether it contains URLs and domains:

    FieldValue to type if the IOC group contains IP addressesValue to type if the IOC group contains domains and URLsDescription
    Delimiting regular expression,,Type a comma.
    Extracting regular expressionLeave blank.
    Fieldsip:$1domain:$1,url:$2Type this exact text.
    Ignoring regular expression(^#^\s*\() | (^#|^\s\*\))Type this exact text.
    Skip header lines00Type the numeral zero.

  7. Click Save  to deploy the changes.

  8. If you have more than one IOC group, repeat this procedure for each IOC group.

Splunk Enterprise Security – TAXII 

  1. From Threat Command, open the Splunk IOC group Device Detailsscreen:

    1. From the Threat Command main menu, select Automation > Integrations.
    2. From the On-Premises  device list, select the Splunk Enterprise Security (TAXII) device.
    3. Click the link icon to the far right of the device IOC group.
      The Device Details dialog is displayed:
      temporary placeholder

  2. Log in to the Splunk Enterprise Security management console.

  3. Navigate to Enterprise Security > Configure > Data Enrichment > Threat Intelligence Downloads
    Current IOC pulls are displayed: temporary placeholder

  4. Click New.

  5. In the Threat Intelligence Download Settings screen,  type the following values:

    FieldValue to typeDescription
    NameA user-defined nameThis name will be displayed in the Threat Intelligence screen. It can be used to search for IOCs.
    TypetaxiiType "taxii" in lowercase letters.
    DescriptionA user-defined descriptionThis description will be displayed in the Threat Intelligence screen.
    URLURL of the IOC group with the real IP address of the Threat Command virtual appliance. - For example: https://10.0.0.230:8080/splunkESGroup/services/poll.
    * For virtual appliance v4.0 or later, use theTAXII URL.
    * For virtual appliance v3.9 or earlier, show and use theLegacy URL.    		Paste this value from the Threat Command Device Details screen. Be sure to replace [APPLIANCE_IP/HOST] with the actual IP address or hostname of the virtual appliance.
    Weight1Type the value 1
    Interval43200Type the value 43200. By default, IOCs are pulled once every 12 hours.
    Post argumentsPost arguments value
    * For virtual appliance v4.0 or later, use the Post arguments.
    * For virtual appliance v3.9 or earlier, show and use the Legacy Post arguments    		Copy the post arguments value exactly from the Threat CommandDevice Details screen. This includes the username and password, so those do not need to be added separately.
    Maximum ageNA

  6. In the Parsing Options  section of theThreat Intelligence Download Settings  screen, leave the default values.

  7. Deploy the changes.

  8. If you have more than one IOC group, repeat this procedure for each IOC group.

View pulled IOCs in Splunk ES 

Viewing downloaded IOCs in the Threat Intelligence Downloads  window can take a long time. You can view the data earlier in the following methods:

This viewing method enables seeing all IOCs, including the Threat Command enrichment (in TAXII).

  • From the main menu, click Security Intelligence > Threat Intelligence > Threat Artifacts.

Splunk search function

This viewing method enables seeing only those IOCs that match the search terms.

  1. From the main menu, click Search and Reporting.
  2. In the search field, type:
 
1
|`http_intel` |`ip_intel` |`file_intel` | search threat\_key=\*Name\*

Where:

  • The single apostrophe marks are all the same (on most keyboards, typed on the key to the left of the 1 numeral key).

  • Name is the exact, case-sensitive name that you configured in the Threat Intelligence Download Settings screen.

    You can use any combination of these settings, surrounded and separated by a pipe sign: | Search text | Description | | --- | --- | | http_intel | Return URLs found in Name | | ip_intel | Return IP addresses and domains found in Name | | file_intel | Return file hashes found in Name |

CURL access

You can use a CURL query to the virtual appliance, and get all of the IOCs in a terminal view. For information on how to use CURL, contact Customer Support.