Skip to main content
Lantern Home

 

Splunk Lantern

CTIS Integration - ES Reporting Plugin Configuration

  1. Last updated
  2. Save as PDF

Background 

For an overview of the CTIS TAXII2 IOC reporting plugin for Splunk Enterprise Security, please refer to the CTIS TAXII Splunk App Documentation GitHub repository.  

This plugin has been developed with industry standard open-source OASIS TAXII/STIX libraries and might work with other TAXII/STIX based IOC reporting services, but currently has only been validated with the ASD/ACSC CTIS service. 

Installation 

The CTIS TAXII IOC Reporting plugin is currently released as an open-source package that can be downloaded from the Splunk GitHub repository and installed on Splunk Cloud Platform or Splunk Enterprise with Splunk Enterprise Security 7.3 and later. The repository can be accessed at ctis-taxii-splunk-app

To download the latest version of the plugin, select the link on the right-hand side of the main repository page for Releases.

CTIS Plugin GIT Repo.png

Then click the App Package under the desired version to download the App installer.

CTIS github releases.png

To install it, use the Manage Apps menu to install an app from a file on your Splunk Enterprise Security search head, remembering to choose the option to upgrade if there is an older version already installed. For Splunk Cloud Platform installations, the self-service App install workflow must be used or you can contact support to have the app installed. 
Install CTIS plugin.png

For full details regarding installation of this plugin, see CTIS TAXII Splunk App Documentation: Installation.  

Configuration 

Before IOC reports can be created and submitted using the CTIS reporting plugin, TAXII v2.1 connections must be configured specifying the CTIS TAXII credentials and API root URL to be used for submission of IOC reports. The collection information (Collection ID) will be automatically discovered once the credentials and API root are configured.

After the CTIS Plugin (App) is installed, open the Plugin from the Splunk Apps menu: 

  1. Select Configuration and click Add on the right to create and save a new connection. 
  2. Enter the details as per the TAXII2.1 credentials from the CTIS portal for your organisation. Credentials are saved in the same secure Splunk credential store, but you should not use the same credential configuration as the feed configuration in TIF. 
  3. Enter the TAXII2 API root and click add to save the new connection. API root should be in the format of https://<taxii-server-fqdn>/taxii2/<rootid>. Refer to CTIS connection guide for further details on the TAXII API root. 
    Add CTIS configuration for plugin.png

For full details regarding the configuration of this plugin, see CTIS TAXII Splunk App Documentation: Configuration

Create and Submit Reports 

After the TAXII connection and credentials are configured, follow these steps to configure, create and submit reports.

  1. Create an identity - An identity is used to represent either the individual, organisation or group submitting the report and is based on a 128-bit UUID generated when the identity is created. Currently this UUID is generated when the identity is configured; however, in the future the UUID might be assigned to specific entities by ASD. Typically, an identity would be created once and used multiple times for IOC report submissions by specific entities. Identities play no part in authentication or authorization; they only identify who submitted the report. Identities also define default TLP markings and Confidence. 
    ctis plugin identity.png
  2. Create a Grouping - Specific malicious or suspicious activity often consists of multiple IOC artefacts, for example, an IOC report for a single malicious file could include a filename, sha1hash, sha256hash, and md5hash. Additionally, a particular sequence of a specific occurrence of malicious activity could consist of multiple types of IOCs, for example, certificate fingerprints, filenames, hostnames, or URLs. Groupings enable multiple related indicators to be grouped together in a meaningful way as part of a single report.
    ctis plugin grouping.png
  3. Create indicators - After the grouping is created, indicators can be created and added to the relevant group. Multiple indicators can be created together but they are added as individual IOCs and associated together via grouping. Clear naming of IOCs will help identify related IOCs, for example, the filename and associated file hashes. The example below shows the IOCs are both associated with the same grouping. 
    ctis plugin indicators.png
  4. After all the indicators are created for that specific reporting/grouping, they can be submitted immediately or scheduled for a specific date/time. Submissions can be done from the submissions menu or by selecting the grouping. The collection will automatically be discovered after the TAXII config is selected and a preview of the STIX JSON bundle can be viewed. 
    ctis plugin submission.png
  5. Submission results are shown after the submission has been processed including JSON output of the TAXII server response. 
    response from CTIS plugin submissin.png

For complete details on how to use the plugin to submit IOC reports, see CTIS TAXII Splunk App Documentation: Curating and Sharing CTI.

Previous step