Skip to main content
Lantern Home

 

Splunk Lantern

Integrating with the Australian Signals Directorate’s Cyber Threat Intelligence Sharing Service

  1. Last updated
  2. Save as PDF

The Australian Signals Directorate’s (ASD’s) Cyber Threat Intelligence Sharing (CTIS) service is a two-way threat intelligence (TI) sharing platform that enables government and industry partners to receive and share information about malicious cyber activity bidirectionally. 

Splunk Enterprise Security (ES) supports integration with the CTIS service for both ingestion of indicator of comprise (IOCs) information natively with the ES Threat Intelligence Framework (TIF) and via an open source Splunk developed plugin for IOC reporting. This plugin enables partners to share IOCs with CTIS for others to consume. The open-source plugin is available in this Splunk GitHub repository

CTIS supports multiple different TI feeds via what is known as Collections. Each CTIS Collection provides an IOC feed for a specific category of indicators, generally based on their criticality and/or their source. These Collections are all detailed in the CTIS documentation which is available on the Australian Cyber Security Centre (ACSC) Partner Portal. Membership is required to access the portal and to use the CTIS service. Any Australian-based organisation who are not currently ACSC partners and would like to utilize this service can find further information on applying to become a partner on the ACSC website.

ASD/ASCS CTIS Integration Quick Start Guide
Pages: 5
  • CTIS Integration Overview
    Splunk Enterprise Security integrates with the CTIS service via standards-based protocols outlined on this page.
  • CTIS Integration - CTIS Service Configuration
    Prior to configuring Splunk integration with the CTIS service, the administrator for your organisation's ACSC/ASD portal will need to configure credentials and specify the whitelist addresses of your Splunk environment to authenticate and access the CTIS TAXII REST APIs.
  • CTIS Integration - ES Ingestion Configuration
    Configuration of the Splunk Enterprise Security TIF is a two-step process that involves configuring the credentials to be used for the CTIS ingestion configuration in the Splunk ES General Settings, and then configuration of each desired CTIS collection as an individual ES TIF feed.
  • CTIS Integration - ES TIF Troubleshooting
    Basic troubleshooting of collection downloads and parsing are available from the Threat Intelligence Audit dashboards in Enterprise Security, and example searches for viewing audit and debug logs for ES TIF are shown on this page.
  • CTIS Integration - ES Reporting Plugin Configuration
    Learn to install and configure the CTIS TAXII2 IOC reporting plugin for Splunk Enterprise Security, as well as create and submit reports.

You can download this entire guide as a single PDF if necessary.