Work with Splunk Enterprise Security#
Caution
This app is no longer supported and this documentation will be removed on 1 December 2024.
Splunk Enterprise Security (Splunk ES) is a paid-for Splunk app that provides additional tooling for cybersecurity practioners to perform advanced searches and threat identification in environments.
Requirements#
Build a correlation search#
You can build correlation searches and adaptive response actions with the following search macros provided by the Threat Intelligence EclecticIQ Platform App:
Tip
You can find the macro definitions in the downloaded Threat Intelligence EclecticIQ Platform App package,
at $SPLUNK_HOME/etc/apps/SA-EclecticIQ/default/macros.conf.
Search macro name |
Description |
|---|---|
|
Retrieves all sightings from Threat Intelligence EclecticIQ Platform App |
|
Retrieves all alerts fired by Threat Intelligence EclecticIQ Platform App for matched domains. |
|
Retrieves all alerts fired by Threat Intelligence EclecticIQ Platform App for matched emails. |
|
Retrieves all alerts fired by Threat Intelligence EclecticIQ Platform App for matched hashes. |
|
Retrieves all alerts fired by Threat Intelligence EclecticIQ Platform App for matched source/destinations. |
|
Retrieves all alerts fired by Threat Intelligence EclecticIQ Platform App for matched urls. |
Caution
Fusion Center does not support sightings or the EclecticIQ adaptive response action.
To create a correlation search and add adaptive response actions:
Create a new correlation search:
From Splunk Home, select Splunk Enterprise Security.
In the top navigation bar, click Configure > Content > Content Management.
In the top-right corner, click Create New Content > Correlation Search.
In the Search Name field, enter descriptive name.
Example: EclecticIQ Correlation Search.
In the App drop-down menu, select SA-EclecticIQ as the app to store the correlation search with.
In the Search field, an SPL (Search Processing Language) query to use as your correlation search.
For examples, see Example queries below.
Add adaptive response action:
Caution
The steps below are mandatory. There are more fields that you can fill in to customize your settings. These fields are optional.
Click + Add New Response Action > Create EclecticIQ Sighting.
In the Sighting Title field, enter a descriptive name.
Example: Splunk EIQ Sighting.
In the Observable Type field, enter
$result.type_eiq$.In the Observable Value field, enter
$result.value_eiq$.
Add notable event:
Click + Add New Response Action > Notable.
In the Title field, enter a descriptive title.
For example: EclecticIQ Correlation Search.
In the bottom-right corner, click Save.
Example queries#
EclecticIQ tstats Threat Intelligence alert - Domain#
| `eiq_dm_alert_domain`
| eval alert_field=case(isnotnull(value_eiq_domain), "domain")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest
EclecticIQ tstats Threat Intelligence alert - Email#
| `eiq_dm_alert_email`
| eval alert_field=case(isnotnull(value_eiq_sender), "sender", isnotnull(value_eiq_receiver), "receiver")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest
EclecticIQ tstats Threat Intelligence alert - Hash#
| `eiq_dm_alert_hash`
| eval alert_field=case(isnotnull(value_eiq_file_hash), "file_hash")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest
EclecticIQ tstats Threat Intelligence alert - Source/Destination#
| `eiq_dm_alert_src_dst`
| eval alert_field=case(isnotnull(value_eiq_src), "src", isnotnull(value_eiq_dest), "dest")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest
EclecticIQ tstats Threat Intelligence alert - URL#
| `eiq_dm_alert_url`
| eval alert_field=case(isnotnull(value_eiq_url), "url")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest