위험 목록 관리

위험 목록 개요

Risk lists can be used to correlate and enrich events. For each element in the risk list (ex an IP number, a URL or a hash) there is a risk score and information about why the score has been set.

상관 관계

Any risklist that is configured is downloaded to the Splunk server and processed locally. Part of the information is inserted into the Threat Intelligence framework that is part of Splunk Enterprise Security. The framework maintains lists of Indicators of Compromise (IOCs) from external sources (such as Recorded Future).

If an event matches an entry of the appropriate list it is flagged for possible further action. Examples of further action are correlation searches such as "Threat Activity Detected" rule. Events matching this rule will be highlighted as Notable events in Splunk Enterprise Security.

보강

Any downloaded risklist is also stored as a lookup table. Recorded Future's Add-on for Spunk Enterprise Security has pre-configured save searches that will look at notable events and create new notable events for any event where additional data is available. The new event will contain additional information such as the Recorded Future Risk Score and details of why this risk has been assigned to the IOC.

Default risklists

기본적으로 앱은 4개의 기본 위험 목록이 미리 구성된 상태로 제공됩니다:

  • IP 번호
  • 도메인 이름
  • URL
  • 해시

If you have Fusion access it's possible to define and read additional risk lists.

Manage risklists

Navigate to Configuration->Inputs. This will show you all configured inputs (both risk lists and alert monitoring). Clicking on the >-sign will expose additional information about the list.

Default Risklists

Under the Actions drop-down it's possible to enable/disable a list, delete, clone or edit it.

Add or modify risklists downloads

To create additional risk list, click on the green "Create New Input" button and select Recorded Future risk list.

Add Risklist

필드 중요성 설명
이름 Risk list name within the Splunk instance. The lookup file will be named <name>.csv.</name>  
간격 The list will be checked for updates after this many seconds. This should be set to 300. This specifies how often the list is checked. Updates only occur if the list has been updated.
색인 The modular input produces statistics when running. Set the index where these will be stored. Make sure to select an index with correct role assignments - leave to main/default if you are unsure.
위험 목록 카테고리 위험 목록에 데이터가 있는 요소의 종류를 선택합니다. IP, 도메인, 해시, 취약점 또는 URL
퓨전 파일 The path to the Fusion risk list. If the list is to used as a lookup the Fusion Flow must be defined to produce an uncompressed csv file. Must correspond to a defined Fusion file. If this field is left blank the default risk list for the category will be used.

새 위험 목록이 설정되면 다운로드되어 Splunk의 위협 인텔리전스 프레임워크에서 사용할 수 있습니다. 일반적으로 이 작업은 몇 분이면 완료됩니다. 위험 목록이 완성되면 의심스러운 IOC를 탐지하는 데 사용됩니다.

그러나 보강을 활성화하려면 새로운 상관관계 검색이 필요합니다.

  1. 설정으로 이동->검색, 보고서 및 알림
  2. "유형을 선택합니다: 모두" 및 "앱: Splunk ES용 기록된 향후 애드온".
  3. Locate "Threat - RF IP Threatlist Search - Rule" (or corresponding Domain, Hash or URL depending on what type of risklist it is).
  4. "편집" 드롭다운 메뉴에서 "복제" 를 선택합니다.
  5. Change the "New Title" field to something sensible, ex "Threat - RF IP My Custom Threatlist Search - Rule".
  6. 설명을 변경하는 것이 좋습니다.
  7. 권한이 복제로 설정되어 있는지 확인합니다.
  8. 설정으로 이동->검색, 보고서 및 알림
  9. "유형을 선택합니다: 모두" 및 "앱: Splunk ES용 기록된 향후 애드온".
  10. 새로 생성된 검색을 클릭합니다.
  11. 검색을 변경합니다:
    1. Change the first parameter of the macro (ex rf_ip_risklist) to the name of the new risklist.
  12. 저장