Übersicht der Risikolisten
Risk lists can be used to correlate and enrich events. For each element in the risk list (ex an IP number, a URL or a hash) there is a risk score and information about why the score has been set.
Korrelation
Any risklist that is configured is downloaded to the Splunk server and processed locally. Part of the information is inserted into the Threat Intelligence framework that is part of Splunk Enterprise Security. The framework maintains lists of Indicators of Compromise (IOCs) from external sources (such as Recorded Future).
If an event matches an entry of the appropriate list it is flagged for possible further action. Examples of further action are correlation searches such as "Threat Activity Detected" rule. Events matching this rule will be highlighted as Notable events in Splunk Enterprise Security.
Anreicherung
Any downloaded risklist is also stored as a lookup table. Recorded Future's Add-on for Spunk Enterprise Security has pre-configured save searches that will look at notable events and create new notable events for any event where additional data is available. The new event will contain additional information such as the Recorded Future Risk Score and details of why this risk has been assigned to the IOC.
Default risklists
Standardmäßig wird die App mit vier vorkonfigurierten Standardrisikolisten ausgeliefert:
- IP-Nummer
- Domänennamen
- Internetadressen
- Hashes
If you have Fusion access it's possible to define and read additional risk lists.
Manage risklists
Navigate to Configuration->Inputs. This will show you all configured inputs (both risk lists and alert monitoring). Clicking on the >-sign will expose additional information about the list.
Under the Actions drop-down it's possible to enable/disable a list, delete, clone or edit it.
Add or modify risklists downloads
To create additional risk list, click on the green "Create New Input" button and select Recorded Future risk list.
| Feld | Bedeutung | Kommentar |
|---|---|---|
| Name | Risk list name within the Splunk instance. The lookup file will be named <name>.csv.</name> | |
| Intervall | The list will be checked for updates after this many seconds. This should be set to 300. | This specifies how often the list is checked. Updates only occur if the list has been updated. |
| Index | The modular input produces statistics when running. Set the index where these will be stored. | Make sure to select an index with correct role assignments - leave to main/default if you are unsure. |
| Kategorie der Risikoliste | Wählen Sie aus, über welche Art von Element die Risikoliste Daten enthält. | IP, Domain, Hash, Schwachstelle oder URL |
| Fusion-Datei | The path to the Fusion risk list. If the list is to used as a lookup the Fusion Flow must be defined to produce an uncompressed csv file. | Must correspond to a defined Fusion file. If this field is left blank the default risk list for the category will be used. |
Sobald die neue Risikoliste eingerichtet wurde, wird sie heruntergeladen und dem Threat Intelligence-Framework von Splunk zur Verfügung gestellt. In der Regel ist dies innerhalb weniger Minuten erledigt. Sobald die Liste abgeschlossen ist, wird sie zur Erkennung verdächtiger IOCs verwendet.
Um die Anreicherung zu ermöglichen, ist jedoch eine neue Korrelationssuche erforderlich.
- Gehen Sie zu Einstellungen->Einstellungen, Berichte und Benachrichtigungen
- Wählen Sie "Typ: Alle" und "App: Aufgezeichnetes zukünftiges Add-on für Splunk ES" aus.
- Locate "Threat - RF IP Threatlist Search - Rule" (or corresponding Domain, Hash or URL depending on what type of risklist it is).
- Wählen Sie im Dropdown-Menü "Bearbeiten" die Option "Klonen" aus.
- Change the "New Title" field to something sensible, ex "Threat - RF IP My Custom Threatlist Search - Rule".
- Erwägen Sie, die Beschreibung zu ändern.
- Stellen Sie sicher, dass die Berechtigungen auf Klonen festgelegt sind.
- Gehen Sie zu Einstellungen->Einstellungen, Berichte und Benachrichtigungen
- Wählen Sie "Typ: Alle" und "App: Aufgezeichnetes zukünftiges Add-on für Splunk ES" aus.
- Klicken Sie auf die neu erstellte Suche.
-
Ändern Sie die Suche:
- Change the first parameter of the macro (ex rf_ip_risklist) to the name of the new risklist.
- Retten