Skip to main content
 
 
Splunk Lantern

Enhancing endpoint monitoring with threat intelligence

 

When investigating endpoints, SOC analysts need as much telemetry as possible because there are often many attack vectors in play. For example, a malicious PowerShell script can invoke various commands to install software such as ransomware. To give analysts as much information as possible to enrich incidents, it's highly recommended that you incorporate threat intelligence.

This article assumes the reader has Splunk Mission Control and Splunk Threat Intelligence Management enabled.

 

Intelligence workflows

Using cloud services such as Splunk Mission Control or Splunk Enterprise Security provides the most flexibility for configuring many threat intelligence sources such as Splunk Threat Intelligence Management and other third-party vendors like Recorded Future, Crowdstrike, etc. After the feeds are active, incidents automatically receive added threat intelligence. If a match occurs, the analyst gains additional insights from the incident. For example, the hdoor.exe observable shown in the image below reflects a high threat intelligence score.

MC_endpoint_incident_example.png

The intelligence management framework saves an analyst time with the notable event auto-submission process. Analysts retain full control over the process with manual override features. You can auto-enrich events using Splunk Enterprise Security.

Gathering threat feeds for Splunk Mission Control and Splunk Enterprise Security

The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For additional assistance on this use case with ES 8.x, Splunk Professional Services can help.

Splunk Threat Intelligence Management is available to Splunk Mission Control and Splunk Enterprise Security for cloud stacks. However, before gaining access to its vast threat intelligence network, you need to configure it for the appropriate stacks. Modular input definitions in inputs.conf for Splunk Mission Control must be considered and consist of the following:

  • Read IM subscription status
  • Retrieve IM indicators
  • Parse IM indicator files
  • Splunk Enterprise Security TIF intelligence downloads to add threat intelligence automatically as threatlists

In addition to inputs, you need to consider KV store collection definitions, which are defined in collections.conf and transforms.conf. Workflow actions (defined in workflow_actions.conf) assist with navigation from Splunk Enterprise Security risk notable events to Splunk Mission Control. Finally, telemetry retrieve and parse IM indicators report on conditions such as enabling and disabling. The retrieved and parsed results are not logged.

Splunk Enterprise Security interoperability

When triaging notable events in Splunk Enterprise Security, threat feeds provide context and enrichment for matching events. An adaptive response action link in the notable event launches the corresponding incident in Splunk Mission Control. To access links to Splunk Mission Control from Splunk Enterprise Security follow these steps:

  1. Go to Incident Review and expand the notable event of interest. In the lower right of the notable event information is the Adaptive Responses section.
  2. Click any of the links that begin with TruSTAR.

TruSTAR is now Splunk Threat Intelligence Management.

The analyst now has the ability to gain additional insights from the event data in Splunk Mission Control.

ES_AR_MC.png

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.