Raw Threat Intel Docs in Enterprise Security 3.3

For those that would like to visibly see a raw version of STIX/OpenIOC docs being consumed by the Threat Intel Framework in Enterprise Security 3.3, I thought I’d post a bit of an unofficial work around that could potentially be used to do this. It occurred to me that if a user wanted Splunk to index the raw STIX/OpenIOC documents, all they would need to do is have Splunk monitor the Threat Intelligence Manager directory that Enterprise Security is using to consume the OpenIOC/STIX documents. As an example, I will show how this can be done using the “da_ess_threat_default” entry, which is the Threat Intelligence Manager for the STIX documents that Enterprise Security 3.3 ships with out of the box.…

» Continue reading

Threat Activity in Enterprise Security 3.3

In this blog post I will be showing how the Threat Activity dashboard can be leveraged to help manage threat intelligence objects to remove false positive matches. To start, lets suppose a hosting services IP was placed into threat intel for monitoring purposes. As a result, we have a high number of notable events representing intel matches against the hosting service address. You don’t want analysts to spend time investigating matches against this IP because you don’t have enough information yet to deem communication to and from this address as malicious. What we need is a method of capturing and maintaining threat content, while providing a whitelist or filter to prevent false positive matches that add to the workload of …

» Continue reading

Threat Artifacts in Enterprise Security 3.3

In this blog post I will be going over a simple use case for the Threat Artifacts dashboard that was introduced in Enterprise Security 3.3. To start, the Threat Artifacts dashboard was built to assist analysts in the investigation of events, as well as research into malicious entities, and is meant to serve as a window into the threat intelligence that is stored in the Splunk App for Enterprise Security. I kind of like to think of it as a Threat Intelligence Library.


The dashboard contains a “Threat Artifact” ToggleInputView that allows a user to select the type of form inputs they wish to use to search through their intel. These are as follows:

  • Threat ID
  • Network
  • File
  • Registry
  • Service
  • User
  • Process
  • Certificate
  • Email

In …

» Continue reading

Threat Intelligence Collections in Enterprise Security 3.3

For all those security enthusiasts out there that write their own, or wish to write their own, OpenIOC and STIX documents, this is a mapping of the Threat Intelligence KV Collections in Enterprise Security 3.3 to their respective OpenIOC/STIX objects. Hopefully this helps provide a little insight into which objects will be extracted into this release of the Threat Intelligence Framework, and which will not be. In addition, the table will also tell you which KVStore fields ES uses for matching against the threat data you’re ingesting in Splunk.

Note that if a cell contains a hyphen (-) that it is likely because there was not an associated field from that particular intel document (OpenIOC/STIX) for representing that specific type …

» Continue reading

Risk Analysis With Enterprise Security 3.1

    The Risk Analysis Framework was introduced as a new feature in Splunk App for Enterprise Security 3.1, and provides users with the ability to utilize a risk scoring system for assigning varying levels of risk to a multitude of different assets and identities.

    In the context of the Risk Analysis Framework- assets, identities, and anything else you would consider assigning a risk score to, is referred to as a Risk Object. Risk Objects are categorized under different Risk Object Types. For example, if ‘brians_laptop’ was our Risk Object it would be categorized under the ‘system’ Risk Object Type. Out of the box, Enterprise Security 3.1 comes configured with 3 different risk object types: ‘system’ for assigning risk …

» Continue reading