Threat Response - Integration with Splunk Enterprise v2.0¶
This document covers all aspects of Threat Response integration with Splunk Enterprise. Today Threat Response can integrate with Splunk Enterprise in two ways: Splunk Alert Source, and Splunk Log Source. We will explore the specifics of these integrations in this integration guide.
Note
This integration guide covers updated Splunk integration capabilities using JSON Alert Source, and for this integration the Splunk Enterprise 2.0 Alert Source is used. It is recommended that you use Splunk Alert Source 2.0. In order to learn more about legacy Splunk integration using Splunk Alert Source 1.0, please, follow the following integration guide: Threat Response - Integration with Splunk Enterprise v1.0
| Type | Description | Versions |
|---|---|---|
| Splunk Alert source | Splunk Enterprise provides administrators the ability to define log-correlation rules that will detect anomalous or suspicious behaviors in the network. Upon detecting such an event, Splunk Enterprise can generate an alert to Threat Response for further investigation. | Splunk Enterprise 2.0 |
| Splunk Log Source | Threat Response can utilize Splunk Enterprise as a data repository to look for logs associated with bad actors (hackers) or infected machines. The ability to review logs for an infected machine may lead to further insights about what has changed on that machine, and what it is communicating to on the network. | N/A |
Configuring Splunk Enterprise Alert Source¶
Splunk Enterprise 2.0¶
Proofpoint Threat Response 3.1.x and above allows to send Splunk alerts in the form of JSON to the Splunk Enterprise 2.0 event source.
The sample python script can be used to gather the raw data from Splunk alerts, transform that data into JSON format and push to Threat Response appliance. This script should be run as the response action for every Splunk alert you want to send to Threat Response Splunk Enterprise 2.0 alert source. Every time the alert is triggered, it assembles one or more JSON alerts and posts them to Threat Response.
Note
The script sample is available in the Appendix section: Splunk Enterprise 2.0 Python Script
Create Splunk Enterprise 2.0 Alert Source in Threat Response¶
You must first create an event source in Threat Response to receive alerts from Splunk.
- Log in to Threat Response
- Navigate to the
Sourcespage. - Click the blue
Add (+)button next toSourcesto bring up theNew Sourcepanel - Set the following fields:
- Type: choose
Splunk Enterprise 2.0 - Enabled: check the box to enable the Splunk Enterprise 2.0 alert source
- Name: alert source name
- Description: alert source additional description
- Link Events: check if you want Threat Response to automatically link ingested alerts
- Enable authentication: check if you want to enable username/password authentication for alert source
- Username: username for authentication
- Password: password for authentication
- Enable source locations: check if you want to ingest alerts from specific hosts only. By clicking on the
+button, you can specify the name and the associated host from which you will ingest alert using this alert source
- Type: choose
Savechanges
Upload Splunk Enterprise 2.0 Python Script¶
- Download the sample python script
proofpoint_threat_response_push.pyand upload it to the following location:$SPLUNK_HOME/bin/scripts
Note
The script sample is available in the Appendix section: Splunk Enterprise 2.0 Python Script
- Set the first line of the script to right python path on Splunk host
Example
#!/opt/splunk/bin/python
- Set a valid value for
PROOFPOINT_ENDPOINT_URLattribute in the script
Example
https://10.10.104.77/threat/splunk_push/events/enkfeI0D5kvat1TNbVLNlg
In order to get the POST URL for Splunk Enterprise 2.0 event source, perform the following:
1. Click on Sources -> Splunk Enterprise 2.0 you created in Threat Response
2. Click show for POST URL
- Modify the sample script to match the data your Splunk alert provides. To do so, start at the function
buildJsonEventand map the Splunk provided fields for your event to the Threat Response JSON event source required fields.
Note
For more information on JSON fields that Threat Response supports, please, refer to the following documentation section: JSON Alert Source
- Edit the
search/alert/reportin Splunk to run this script for alert it fires- In Splunk, click
Settings->Searches, reports, and alerts->NAME-OF-THE-SEARCH-TO-ADD-FIRE-ALERT-TO-THREATRESPONSE - Enable checkbox
Run a script - Add
proofpoint_threat_response_push.pyin text box forFile name of shell script to run
- In Splunk, click
Important
Make sure you change the following things in the script to the appropriate values:
1. The python path given in the first line must be the path to Splunk’s python interpreter: $SPLUNK_HOME/bin/python
2. This script must be placed in $SPLUNK_HOME/bin/scripts and must be marked as executable
3. The PROOFPOINT_ENDPOINT_URL variable must be set to the event source POST url, for example, https://ptr-host.corp.com/threat/splunk_push/events/V2X-NPd1BSvZv9uKx2eoIA
Troubleshooting¶
- Check executable permissions for the script on OS
- Log generated by the script:
$SPLUNK_HOME/bin/scripts\proofpoint_threat_response.log - Check the
PROOFPOINT_ENDPOINT_URL, first line and location of the script
New JSON fields that Splunk Enterprise Alert Source supports¶
For 3.1, Threat Response added the following fields:
- Added threat_info object that allows customers to specify the information about threat (by providing static and contextual threat metadata)
- Expanded attackers section that can now be either a string or a list and can take additional key-value pairs such as port, mac address, and hostname
- Expanded targets section that can now be either a string or a list and can take additional key-value pairs such as port, mac address, and hostname
- Added custom_fields object that allows to ingest custom key-value pairs that can be mandated by the integrating devices
- Added detector object that allows customers to pass the contextual information about the detecting product or appliance that generated the alert or event; detector is an object that allows to specify the parameters such as product, vendor, and IP address
Below is an example of the event generated using JSON API for version 3.1:
{
"category": "malware",
"result": "created",
"url": "http:malware.exe",
"severity": "critical",
"threat_info": {
"name": "Trojan.Win32.Genome",
"filename": "xMiner.exe",
"type": "Trojan",
"md5sum": "0c3552346d890e6c33c19ac1ec1ef33d",
"filehash": "d82cbf481a8c28f75bcab4b22131c877",
"occurred_at": "2014-01-01T10:11:12Z"
},
"attackers": [
{
"port": 5678,
"user": "user1",
"ip_address": "10.100.10.111",
"mac_address": "72:00:08:0b:0a:a1",
"hostname": "hostname"
}
],
"targets": [
{
"ip_address": "10.10.111.111"
},
{
"port": 8765,
"user": "frodo",
"ip_address": "10.100.10.112",
"mac_address": "72:10:08:0b:0a:a1",
"hostname": "xyzzy"
}
],
"custom_fields": {
"custom_field_1": "abcd",
"custom_field_2": "abcd",
"custom_field_3": "abcd"
},
"detector": {
"detector_address": "192.168.1.1",
"detector_host_name": "sensor",
"detector_product": "web appliance",
"detector_vendor": "Vendor 1",
"detector_event_category": "test",
"detector_action": "callback detected"
}
}For the new JSON format it is important to note that old fields for source, destination or the array “attacker” or “target” are still supported and are aggregated together with the new arrays “attackers” and “targets”
Note
For more details about Threat Response API and all the supported fields, please, refer to the API documentation.
Configuring Splunk Log Query¶
Splunk logs can be viewed directly in Threat Response for hosts reported in incidents. Once you have enabled the Splunk Log Query feature, you will be able to view logs associated with a host by opening an incident, and navigating to the IP Details page.
Build Splunk Search Query¶
The first step is to consider the search query that you want to use to locate logs in Splunk. This query will be used in the next step when configuring the feature. The query syntax is exactly the same as queries performed directly in Splunk; however, the string you are searching is represented by the variable “{entity}” (without the quotes).
Below is a sample query that will search for the current {entity}, will exclude any Threat Response alerts generated for the event source, and will limit the results to 100 entries:
search {entity} NOT sourcetype="Proofpoint Threat Response" | head 100This query is recommended for most installations.
Note
You should always apply a result limiter to the query. Large numbers of results will result in slow load times on Threat Response, and may create unnecessary load on the Splunk server.
Enable Log Query¶
With Splunk Log Query enabled on Threat Response, you can navigate to the IP Details tab in any incident to view logs associated with a host. When the page is loaded, Threat Response will begin the query to Splunk to collect the logs, and will display a count of the logs that were found. Clicking on the count will display a popup containing the raw logs.
To enable SIEM Log Collection for Splunk:
- Log in to Threat Response.
- Navigate to
System Settings>Contextual Data Sources>Splunk. - Check the box to enable Splunk Integration and configure the following:
- Host:
<Splunk hostname_or_ip> - Management Port:
<splunk_mgmt_port>(this is usually “8089”) - UI Port:
<splunk_ui_port> - Username:
<splunk_username> - Password:
<splunk_password> - Use SSL: (optional)
- Default Query:
<custom_splunk_search_query>
- Host:
- Optionally, click on
“Test Settings”button to verify that the Splunk instance is reachable. Savechanges.
Appendix¶
Splunk Enterprise 2.0 Script¶
#!/opt/splunk/bin/python
#
# proofpoint_threat_response_push.py
#
# Copyright 2017 Proofpoint, Inc.
#
# Proofpoint Threat Response allows you to send Splunk alerts as JSON to
# the Splunk Enterprise 2 alert source.
#
# This script must be modified or extended to match the data your Splunk
# alert provides. To do so, start at the function buildJsonEvent and
# map the Splunk provided fields for your event to the PTR JSON
# event source required fields. A sample JSON event is provided in this
# script, and more information is available in the PTR documentation.
#
# This script should be run as the response action of every Splunk alert you
# want to send to PTR's Splunk Enterprise 2 alert source. Every time the alert is
# triggered, it assembles one or more JSON alerts and posts them to PTR.
#
# Troubleshooting:
# - The python path given in the first line must be the path to Splunk's
# python interpreter: $SPLUNK_HOME/bin/python.
# - This script must be placed in $SPLUNK_HOME/bin/scripts and must be
# marked as executable.
# - The PROOFPOINT_ENDPOINT_URL variable must be set to the event source
# POST url, something like https://ptr-host.corp.com/threat/splunk_push/events/V2X-NPd1BSvZv9uKx2eoIA
#
import csv
import gzip
import json
import logging
import os
import socket
import sys
import time
import urllib2
# Set this to the POST url of a Splunk Enterprise 2 event source
PROOFPOINT_ENDPOINT_URL = None
LOGNAME = 'proofpoint_threat_response.log'
# Uncomment this line to log script output to stderr
#LOGFILE = None
# Uncomment this line to log to the script's directory
LOGFILE = '%s/%s' % (os.path.dirname(os.path.realpath(sys.argv[0])), LOGNAME)
# Uncomment this line to log to /var/log/
#LOGFILE = '/var/log/%s' % LOGNAME
def configureLogging(alert_name):
LOG_FORMAT = '%(asctime)s, ' + alert_name + ', %(levelname)s: %(message)s'
if LOGFILE is not None:
logging.basicConfig(level=logging.INFO, format=LOG_FORMAT,
datefmt='%Y-%m-%d %H:%M%S', filename=LOGFILE)
else:
logging.basicConfig(level=logging.INFO, format=LOG_FORMAT,
datefmt='%Y-%m-%d %H:%M%S')
def buildAttackerTarger(prefix, raw_event):
item = {}
raw_host = prefix + '_host'
raw_port = prefix + '_port'
raw_user = prefix + '_user'
if raw_host in raw_event and len(raw_event[raw_host]) > 0:
item['hostname'] = raw_event[raw_host]
if raw_port in raw_event and len(raw_event[raw_port]) > 0:
item['port'] = raw_event[raw_port]
if raw_user in raw_event and len(raw_event[raw_user]) > 0:
item['user'] = raw_event[raw_user]
return [item]
def translateSeverity(raw_event):
severity_mapping = {'1' : 'info', '2' : 'minor', '3' : 'major', '4' : 'major', '5' : 'critical'}
severity = None
if 'alert_severity' in raw_event:
severity = severity_mapping[raw_event['alert_severity']]
return severity
# Sample JSON Event as required by PTR
#
# {
# "category": "malware",
# "result": "created",
# "url": "http://www.downloadmalware.com/malware.exe",
# "severity": "critical",
# "threat_info": {
# "name": "Trojan.Win32.Genome",
# "filename": "xMiner.exe",
# "type": "Trojan",
# "md5sum": "0c3552346d890e6c33c19ac1ec1ef33d",
# "filehash": "d82cbf481a8c28f75bcab4b22131c877",
# "occurred_at": "2014-01-01T10:11:12Z"
# },
# "attackers": [
# {
# "port": 5678,
# "user": "blargh",
# "ip_address": "10.100.10.111",
# "mac_address": "72:00:08:0b:0a:a1",
# "hostname": "whoopi"
# }
# ],
# "targets": [
# {
# "ip_address": "10.10.111.111"
# },
# {
# "port": 8765,
# "user": "frodo",
# "ip_address": "10.100.10.112",
# "mac_address": "72:10:08:0b:0a:a1",
# "hostname": "xyzzy"
# }
# ],
# "custom_fields": {
# "custom_field_xyzzy": "Never gonna give you up",
# "custom_field_never": "Never gonna let you down",
# "custom_field_gonna": "Never gonna run around and desert you"
# },
# "detector": {
# "address": "192.168.1.1",
# "host_name": "sensor",
# "product": "Badness Detector 7000",
# "vendor": "AwesomeSoft",
# "event_category": "omg",
# "action": "nuke_from_orbit"
# }
# }
#
# NOTE TO EXTENDERS OF THIS SCRIPT - if you pass fields
# in to the system that PTR doesn't require, they will
# still be displayed on the RAW event view. If you
# set those fields in "custom_fields", then they'll
# be shown in on the Alert Details page, as well
def buildJsonEvent(row, fieldNames):
# INTEGRATOR TODO - translate splunk fields to JSON Event extractor fields
# From Splunk event extractor. Your mappings will depend on the
# fields in the specific Splunk search results you plan to use to
# generate a PTR event.
#
# This sample code does some trivial mapping and non-trivial mapping,
# as defined here:
#
# Splunk Field -> PTR JSON Event field
# alert_name -> name
# alert_severity (1,2,3,4,5) -> severity(Info, Minor, Major, Major, Critical)
# alert_category -> category
#
# attacker_host -> Build attacker object
# attacker_port -> Build attacker object
# attacker_user -> Build attacker object
#
# target_host -> Build target object
# target_port -> Build target object
# target_user -> Build target object
# dst_url -> url
# action -> result
simple_translations = {'alert_category' : 'category', 'dst_url' : 'url', 'action' : 'result'}
fields_to_remove = ['attacker_host', 'attacker_port', 'attacker_user', 'target_host', 'target_port', 'target_user', 'alert_severity']
# Build the raw event
raw_event = {}
for idx, fieldname in enumerate(fieldNames):
raw_event[fieldname] = row[idx]
# now fill in the PTR json event, translating as appropriate
json_event = {}
# Special case the Alert name, use the ENV if set, otherwise try to get it from the SPLUNK JSON
if len(alert_name) > 0:
json_event['name'] = alert_name
fields_to_remove.append('alert_name')
else:
simple_translations['alert_name'] = 'name'
# first, build attacker and target
attackers = buildAttackerTarger('attacker', raw_event)
if len(attackers) > 0:
json_event['attackers'] = attackers
targets = buildAttackerTarger('target', raw_event)
if len(targets) > 0:
json_event['targets'] = targets
severity = translateSeverity(raw_event)
if severity is not None:
json_event['severity'] = severity
# translate, or not, all the remaining simple things
for key, val in raw_event.iteritems():
if key not in fields_to_remove:
json_key = key
if key in simple_translations:
json_key = simple_translations[key]
json_event[json_key] = val
return json.dumps(json_event)
def retrieveResultsAsJsonEvents(filename):
logging.info('Retrieving events from %s...' % filename)
try:
events = []
# Splunk stores search results in gzipped csv files
with gzip.open(filename, 'rb') as eventFile:
eventReader = csv.reader(eventFile)
# The first line of the file contains the field names
fieldNames = eventReader.next()
logging.info('Retrieved interesting fieldnames:')
logging.info(str(fieldNames))
# Subsequent rows hold the data for each event in the alert
for row in eventReader:
events.append(buildJsonEvent(row, fieldNames))
logging.info('Successfully retrieved %d events' % len(events))
return events
except IOError as e:
logging.error('IOError retrieving events: %s. Exiting.' % e.strerror)
sys.exit(1)
def sendEvents(events_to_send, url):
logging.info('Sending the event via http %s ...' % url)
for event in events_to_send:
logging.info('Sending event %s.' % event)
try:
urllib2.urlopen(url, event)
logging.info('Send complete')
except URLError as urlError:
logging.error('URLError sending to %s: %s' (url, urlError.strerror))
if __name__ == '__main__':
if PROOFPOINT_ENDPOINT_URL is None:
logging.error('PROOFPOINT_ENDPOINT_URL must be set')
sys.exit(1)
alert_name = os.environ['SPLUNK_ARG_4']
configureLogging(alert_name)
logging.info('---------------- Script started ----------------')
logging.info('SPLUNK_ARG_0=%s', os.environ['SPLUNK_ARG_0'])
logging.info('SPLUNK_ARG_1=%s', os.environ['SPLUNK_ARG_1'])
logging.info('SPLUNK_ARG_2=%s', os.environ['SPLUNK_ARG_2'])
logging.info('SPLUNK_ARG_3=%s', os.environ['SPLUNK_ARG_3'])
logging.info('SPLUNK_ARG_4=%s', os.environ['SPLUNK_ARG_4'])
logging.info('SPLUNK_ARG_5=%s', os.environ['SPLUNK_ARG_5'])
logging.info('SPLUNK_ARG_6=%s', os.environ['SPLUNK_ARG_6'])
logging.info('SPLUNK_ARG_7=%s', os.environ['SPLUNK_ARG_7'])
logging.info('SPLUNK_ARG_8=%s', os.environ['SPLUNK_ARG_8'])
alert_time_utc = time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())
# Retrieve the temporary file of raw search results and parse the data
filename = os.environ['SPLUNK_ARG_8']
logging.info('Retrieved raw results filename=%s' % filename)
events = retrieveResultsAsJsonEvents(filename)
# Send the event back into Splunk via UDP
# event_to_send = json.dumps(tr_event)
sendEvents(events, PROOFPOINT_ENDPOINT_URL)
logging.info('Script finished.')