Working with the EclecticIQ Platform App for Splunk

This application is no longer supported.

From 22 August 2022, use both of the following apps instead:

Overview

The Threat Intelligence EclecticIQ Platform App provides seven default dashboards for you to monitor:

  • Observables received from EclecticIQ Platform

  • Matches detected

  • Alerts triggered

To get the dashboards to display data, you must have:

List of dashboards

These dashboards can be accessed from the top navigation bar.

images/download/attachments/86441509/eiq-splunk-app-topnav.jpg

Dashboards available by default:

Tab

Dashboard and description

Home

Home: Provides an overview of

  • Observables collected from the EclecticIQ Platform

  • Matches found

  • Alerts triggered

Dashboards

  • Matched IPs: Displays matches and alerts for IPv4 observables collected from EclecticIQ Platform.

  • Matched Domains and URLs: Displays matches and alerts for Domain and URL observables collected from EclecticIQ Platform.

  • Matched File hashes: Displays matches and alerts for md5-hash, sha256-hash, and sha512-hash observables collected from EclecticIQ Platform.

  • Matched Emails: Displays matches and alerts for email observables collected from EclecticIQ Platform.

  • All matches: Displays matches and alerts for all observables collected from EclecticIQ Platform

Information

  • Observables DB info: Provides an overview of all observables collected from the EclecticIQ Platform.

You can customize each dashboard by clicking Edit in the top-right corner.

Example of Threat Intelligence EclecticIQ Platform App Home dashboard:

images/download/attachments/86441509/eiq-splunk-app-home.jpg

Make any dashboard the Splunk Web Home dashboard

  1. Open the dashboard you want ot set as your Home dashboard.

  2. Go to the top-right corner of the view and click images/download/attachments/86441509/ellipsis-h.svg .

  3. Select Set as Home dashboard.

View application logs

In the event that you need to troubleshoot the app, view the application log:

  1. Open the Threat Intelligence EclecticIQ Platform App in Splunk Web.

  2. In the top navigation bar, click Information > Application Logs.

To manage what log levels are displayed, go to the App settings (Information > Edit app settings), and edit the Scripts Log Level field.

Scripts

The Threat Intelligence EclecticIQ Platform App ships with two scripts:

Collection script

  • The script that collects outgoing feed data from EclecticIQ Platform is: eiq_collect_feeds.py.

  • Inputs stanza: [script://$SPLUNK_HOME/etc/apps/SA-EclecticIQ/bin/eiq_collect_feeds.py].

  • By default, the collection script is configured to run every 20

  • minutes (cron schedule: */20 * * * *).

Sightings script

  • The script that sends sightings to EclecticIQ Platform is: eiq_send_sightings.py.

  • Inputs stanza: [script://$SPLUNK_HOME/etc/apps/SA-EclecticIQ/bin/eiq_send_sightings.py].

  • By default, the collection script is configured to run every 15 minutes (cron schedule: */15 * * * *).

Manage scripts

This section describes how to manage scripts provided with the app.

Enable/disable a script:

  1. In the top navigation bar, click Settings > Data inputs.

  2. Under Local inputs, click Scripts.

  3. In the row of the script you want to enable/disable, go to the Status column.

  4. Click Enable or Disable.

Edit the interval cron expression of a script:

  1. In the top navigation bar, click Settings > Data inputs.

  2. Select Scripts.

  3. Click the script you want to edit.

  4. In the Interval field, change the interval.

  5. Click Save.

For further details on Splunk cron expressions, see the official Splunk documentation on cron expressions and their answers to common questions on cron expressions.

KV store

The EclecticIQ Platform app creates three KV stores in Splunk:

  • eiq_ioc_list (Downloaded observables)

  • eiq_feed_list (Meta Information about Outgoing Feeds)

  • eiq_alerts (Alerts results)

Do not manually edit the KV stores.

The collection script writes the downloaded threat intelligence directly to these KV stores, and is search head cluster -aware.

Alerts

The Threat Intelligence EclecticIQ Platform App comes packaged with two different saved searches. Both are disabled by default, and must be enabled before alerts can be triggered by the app.

List of alerts

EclecticIQ alert

The EclecticIQ alert saved search is a plain-text saved search that triggers an alert when it finds matches for observables collected from the connected EclecticIQ Platform instance.

Enabling both EclecticIQ alert and any one of the EclecticIQ tstats Threat Intelligence alerts may produce duplicate results.

(Recommended) EclecticIQ tstats Threat Intelligence alert

Requires the Splunk Common Information Model (CIM).

We recommend using these alerts over the EclecticIQ alert saved search.

The EclecticIQ tstats Threat Intelligence alert is a group of five saved searches that use Splunk data model acceleration.

From Threat Intelligence EclecticIQ Platform App version 2.5.4 onwards, the EclecticIQ tstats Threat Intelligence alert is split into five different alerts:

  • EclecticIQ tstats Threat Intelligence alert - Domain

  • EclecticIQ tstats Threat Intelligence alert - Email

  • EclecticIQ tstats Threat Intelligence alert - Hash

  • EclecticIQ tstats Threat Intelligence alert - Source/Destination

  • EclecticIQ tstats Threat Intelligence alert - URL

Each alert is triggered when the saved search runs and finds events that match its respective observable types.

For example, the EclecticIQ tstats Threat Intelligence alert - Domain saved search triggers an alert when it finds an event that matches a domain observable collected from the connected EclecticIQ Platform instance.

Enable alerts

To enable the saved searches:

  1. Open Splunk Web.

  2. In the top navigation bar, click Settings > All configurations.

  3. In the All configurations page, set the filter to only display entries for EclecticIQ Platform App (SA-EclecticIQ).images/download/attachments/86441509/splunk-all-configurations-filter.jpg

    Do this by selecting from the drop-down menus next to App:

    • EclecticIQ Platform App (SA-EclecticIQ)

    • Created in the App

  4. Click Enable in the Status column for these saved searches:

    • EclecticIQ alert

    • EclecticIQ tstats Threat Intelligence alert - Domain

    • EclecticIQ tstats Threat Intelligence alert - Email

    • EclecticIQ tstats Threat Intelligence alert - Hash

    • EclecticIQ tstats Threat Intelligence alert - Source/Destination

    • EclecticIQ tstats Threat Intelligence alert - URL

Manage how frequently alerts are run

You can manage how frequently the saved search for an alert is run by editing the CRON interval for that alert.

To edit the CRON interval of an alert

  1. In the top navigation bar, click Settings > All configurations.

  2. Locate the alert you want to configure, and click on its name.

  3. Edit the contents of the Cron Expression field. Change it to the desired time and date the saved search should run.

Uninstall

To uninstall the Threat Intelligence EclecticIQ Platform App, open the terminal on your Splunk host and run:

$SPLUNK_HOME/bin/splunk remove app SA-EclecticIQ

Or remove the app directory manually by running:

Removing data with rm -rf is irreversible.

rm -rf SPLUNK_HOME/etc/apps/SA-EclecticIQ

After the command completes, restart Splunk:

$SPLUNK_HOME/bin/splunk restart