All Apps and Add-ons

Anomali Threatstream App: Integration and DA-ESS-ThreatIntelligence Data Model

adalbor
Builder

Hey All,

We currently use the Anomali Threatstream app in Enterprise Security along with an on-premise integrator to pull our CTI down.

The data is imported great and works awesome with the Threatstream app.

I would like to see if it's possible to integrate this data with ES itself so it can be leveraged in the Security Intelligence > Threat Intelligence sections and whatever else in ES uses that data model.

I see that anomali creates a summary index with their data but all of the fields are different from what is in the DA-ESS-ThreatIntelligence data model. Was hoping to not have to reinvent the wheel here.

Does anyone have any experience setting this up or have any recommendations?

0 Karma

starcher
SplunkTrust
SplunkTrust

You should approach the vendor on their ES integration. They have known for a long time they do not integrate well with the ES threat intel model. If you are going to cook it yourself. you need to cook off csv lookup files from their data and map those for ES Threat Intel ingestion yourself. You can sneak a couple of fields that are not in the intel framework in through doing KV pairs in the description field in some cases. just be careful with that. And you will have to write your own macro to break it back out for use in a search.

0 Karma

adalbor
Builder

Yep I hit them up at the same time as I posted this.
They actually said they are working on it in their next release but they don't have an ETA.
Thanks for your response!

0 Karma

adalbor
Builder

Just to add and mark as complete.

Their newest app version 6.4 has the integration built in.

All you have to do is rerun setup, tell it to use CIM data models, and check that Upload to ES Threat Intelligence Framework is ticked within:
Settings -> Data Inputs -> Anomali IOC Ingestion -> threatstream_app

Once that stuff was done it worked like a charm.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...