Skip to main content
Splunk Lantern is a nominee for Knowledge Innovation and Knowledge Management in the CXOne Customer Recognition Awards. Click here to vote for us!
Lantern Home

 

Splunk Lantern

CTIS Integration - ES Ingestion Configuration

  1. Last updated
  2. Save as PDF

Background

Configuration of the Splunk Enterprise Security (ES) TIF is a two-step process that first involves configuring the credentials to be used for the CTIS ingestion configuration in the Splunk ES General Settings > Credentials & Certificates, and then configuration of each desired CTIS collection as an individual ES TIF feed.

This guide covers these steps in detail, but for further information regarding configuration of the ES TIF for your specific version of Enterprise Security please refer to the respective version of the Splunk ES Administration guide for the following sections:

Credential Configuration:

Configuration of credentials for IOC reporting are done natively within the reporting plugin, and the plugin uses the same Splunk-native secure credential storage mechanism. Steps for reporting plugin configuration are covered separately in this article.

Threat Intelligence Framework Configuration

Credential Configuration

To securely configure credentials for authentication of the various feeds for each CTIS collection required, credentials are configured in Enterprise Security > Configure > General Settings > Credentials. Different credentials are required for TAXII1.1 and TAXII2.1 connections since credentials only support a specific version of TAXII. This can be reflected in the "Realm" configuration option to differentiate between the two types of credentials.

Configure credentials using the credentials configured in the portal as shown in the example below, which shows a configuration reflecting TAXII2.x credentials:

create credential.png

Enterprise Security TAXII 1.1

Support for TAXII 1.x with CTIS might be deprecated in the future by ASD/ACSC in favour of TAXII 2.x.

For each collection that is being configured using a TAXII1.1 configuration, follow these steps from the ES TIF source configuration menu (Enterprise Security > Configure > Threat Intelligence > Threat Intelligence Sources):

  1. Select New and choose TAXII.
    select new taxii1 collection.png
  2. Enter the desired configuration on the general settings for the following options:
    1. Name - Descriptive name reflecting the details of the CTIS collection.
    2. Description - Description of the collection.
    3. URL - General CTIS TAXII 1.x URL only. The collection ID is specified as separate post arguments at the next configuration step. Refer to the CTIS connection guide for the details of the TAXII1 URLs and collection descriptions and IDs.
    4. Post Arguments - Supports multiple arguments and generally includes:
      1. For TAXII 1.x the collection ID is mandatory and is specified as HTTP post argument, for example, collection="3980c357-8479-4db1-923a-e2a3056e7e65"
      2. Optionally, but especially for collections with a high number of IOC records, it is recommended that that an additional post argument for the earliest IOC record is also specified to limit the number of records returned on the first poll, for example, using the following to only return IOC records no older than 30 days: earliest="-30d"
    5. Threat Intelligence - should already be enabled and should not be changed.
  3. Modify the following other default options as desired:
    1. Weight - Used to calculate the risk score of an asset or identity associated with an indicator from the collection.
    2. Interval - The interval to poll the intelligence collection.
    3. Max Age - The retention period for IOCs from this collection.
    4. Max Size - The maximum allotted size in bytes for an intelligence feed download. The download feed is often very large the first time you download threat intelligence. Depending on the parameters used for the earliest records returned in post arguments, this value might need to be increased.
      TAXII1 Collection General Settings.png
  4. Parsing configuration does not typically require configuration and should be left as "Auto".
    collection parsing auto.png
  5. Advanced configuration options should be configured to reference the credentials created in the previous steps:
    1. Remote Site User - The username configured in the ES Credentials Settings in the earlier step for either TAXII1.x or TAXII 2.x.
    2. Remote Site User Realm - The realm is optional but recommended to help denote the type of connection being used.
    3. Continue to the advanced configuration in the next section.
  6. The following default options under advanced configuration should not need modification except for the timeout value where there are larger feeds being configured or where you need additional data for troubleshooting feed downloads or parsing:
    1. Retries - The maximum number of download retry attempts.
    2. Retry Interval - Number of seconds to wait between download retry attempts.
    3. Timeout - Number of seconds to wait before marking a download attempt as failed. It's recommended to increase this value for larger feeds, especially for first poll.
    4. Sinkhole - Delete threat intelligence files after processing, disable if there are issues with parsing that need to be investigated to enable analysis of the source file downloaded.
    5. Debug - Enable if additional debug logging is required.
      TAXII Advanced Settings.png

Enterprise Security TAXII 2.1

For each collection that is being configured using a TAXII2.1 configuration, follow these steps from the ES TIF source configuration menu (Enterprise Security > Configure > Threat Intelligence > Threat Intelligence Sources): 

  1. Select New and choose TAXII 2.
    new taxii2 collection.png
  2. Enter desired configuration on the general settings for the following options: 
    1. Name - Descriptive name reflecting the details of the CTIS collection.
    2. Description - Description of the collection.
    3. URL - For TAXII2.x connections the URL contains the specific collection ID with the following format of URL where <collection-id> should be replaced with the desired collection-id for the feed being configured. Information about the various collections and the TAXII URL is available in the CTIS documentation from the ASD/ACSC partner portal. 
    4. TAXII Version - For CTIS TAXII2.x, this should be configured for version 2.1.
    5. Post Arguments - With TAXII2.x, given that the collection-id is specified in the URL, the only potentially important post argument is the time range of IOCs to download from the collection. This is especially important for collections with a high number of IOC records where it is recommended that an additional post argument for the earliest IOC record is also specified to limit the number of records returned on the first poll, for example, using the following to only return IOC records no older than 30 days: earliest="-30d" 
    6. Threat Intelligence - Should already be enabled and should not be changed.
  3. Modify the following other default options as desired: 
    1. Weight - Used to calculate the risk score of an asset or identity associated with an indicator from the collection.
    2. Interval - The interval to poll the intelligence collection.
    3. Max Age - The retention period for IOCs from this collection.
    4. Max Size - The maximum allowed size in bytes for an intelligence feed download. The download content is often very large the first time you download threat intelligence from a specific collection. Depending on the parameters used for the earliest record returned n post arguments this value might need to be increased to allow a larger download. This might also be the case for collections with a high frequency of updates or new IOCs regularly added.
      new taxii2 collection general settings.png 
  4. Parsing configuration does not typically require configuration and should be left as "Auto".
    collection parsing auto.png
  5. Advanced configuration options should be configured to reference the credentials created in the previous steps: 
    1. Remote Site User - The username configured in the ES Credentials Settings in the earlier step for either TAXII1.x or TAXII 2.x.
    2. Remote Site User Realm - The realm is optional but recommended to help denote the type of connection being used. 
  6. The following default options under advanced configuration should not need modification except for the timeout value where there are larger feeds being configured or where you require additional data for troubleshooting feed downloads or parsing:
    1. Retries - The maximum number of download retry attempts.
    2. Retry Interval - Number of seconds to wait between download retry attempts.
    3. Timeout - It's recommended to increase this value for larger feeds.
    4. Sinkhole - Delete threat intelligence files after processing.
    5. Debug - Enable if additional debug logging is required.
      taxii2 new collection advanced.png

Previous step

Next step