Threat Activity in Enterprise Security 3.3

In this blog post I will be showing how the Threat Activity dashboard can be leveraged to help manage threat intelligence objects to remove false positive matches. To start, lets suppose a hosting services IP was placed into threat intel for monitoring purposes. As a result, we have a high number of notable events representing intel matches against the hosting service address. You don’t want analysts to spend time investigating matches against this IP because you don’t have enough information yet to deem communication to and from this address as malicious. What we need is a method of capturing and maintaining threat content, while providing a whitelist or filter to prevent false positive matches that add to the workload of our fellow analysts.

Fortunately, the Threat Activity dashboard can be used to filter matches such that the actual match still occurs and is placed within the threat_activity index but is not taken into consideration when their corresponding notable events are generated. This means we can filter out any intel matches that result in a high number of FPs while still maintaining the match data for investigative or research purposes. To do this, bring up the Threat Activity dashboard and using the form inputs at the top, isolate the threat intel match events you wish to whitelist.


Next, using the Threat Activity Details panel, select the rows that contain the threat_match_field/threat_match_value pair you would like to filter on:


Then select the “Advanced Filter…” button in the top right of the dashboard.


Ensure that the “Filter them so that they no longer appear on this dashboard” radio button is selected, and click Save. (Note, that like all dashboards leveraging per panel filtering, you can also opt to “Highlight them so that they are flagged as important on this dashboard”, which will ensure that all matches that contain the threat_match_field/threat_match_value pair are brought to the top of the Threat Activity Details panel and flagged as important.)


And that’s it! You can confirm that the threat_match_field/threat_match_value pair is now being filtered by ensuring that it no longer shows up in the Threat Activity Details panel. In addition, if you’d like to remove the filter, or look to see what is currently being filtered, you can select the “View/edit lookup file” hyperlink from within the Advanced Filter dialog. All active per-panel filters are audited using the Per-Panel Filter Audit dashboard.

Hopefully this helps offset any extreme cases of false positives that may come your way, as well as partially assist with any research you may be performing on threat intel matches in your environment. Please feel free to post and discuss any questions, comments, suggestions, or even use cases of your own in the comments below :-)

Why can we only get the filter and highlighting to work when the user is added to the Splunk admin role. Tried just added the user to ESS_Admin, and Poweruser, but no dice. Any Ideas?

Kevin Manson
July 27, 2015