All Apps and Add-ons

Anomali Threatstream App: Integration and DA-ESS-ThreatIntelligence Data Model

adalbor
Builder

Hey All,

We currently use the Anomali Threatstream app in Enterprise Security along with an on-premise integrator to pull our CTI down.

The data is imported great and works awesome with the Threatstream app.

I would like to see if it's possible to integrate this data with ES itself so it can be leveraged in the Security Intelligence > Threat Intelligence sections and whatever else in ES uses that data model.

I see that anomali creates a summary index with their data but all of the fields are different from what is in the DA-ESS-ThreatIntelligence data model. Was hoping to not have to reinvent the wheel here.

Does anyone have any experience setting this up or have any recommendations?

0 Karma

starcher
SplunkTrust
SplunkTrust

You should approach the vendor on their ES integration. They have known for a long time they do not integrate well with the ES threat intel model. If you are going to cook it yourself. you need to cook off csv lookup files from their data and map those for ES Threat Intel ingestion yourself. You can sneak a couple of fields that are not in the intel framework in through doing KV pairs in the description field in some cases. just be careful with that. And you will have to write your own macro to break it back out for use in a search.

0 Karma

adalbor
Builder

Yep I hit them up at the same time as I posted this.
They actually said they are working on it in their next release but they don't have an ETA.
Thanks for your response!

0 Karma

adalbor
Builder

Just to add and mark as complete.

Their newest app version 6.4 has the integration built in.

All you have to do is rerun setup, tell it to use CIM data models, and check that Upload to ES Threat Intelligence Framework is ticked within:
Settings -> Data Inputs -> Anomali IOC Ingestion -> threatstream_app

Once that stuff was done it worked like a charm.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...