ThreatQuotient Add-on for Splunk
Overview
Details
Note: The new ThreatQuotient Add-on for Splunk requires the ThreatQuotient App for Splunk as well as ThreatQ version 5.11 or later.
ThreatQuotient Splunk Support Documentation
See the Splunk Documentation located on the ThreatQuotient Help Center for more information.
https://helpcenter.threatq.com/Integration_Documentation/app/Splunk.htm
Functionality includes:
Ingestion of ThreatQ Data into Splunk
Enable users to customize what data is ingested by leveraging ThreatQ exports and Splunk input filters. Customization continues for advanced users with the ability to modify leveraged indexes and Splunk saved searches that drive the ThreatQuotient App for Splunk to meet the needs of their environment.
Matching of Splunk Events with ThreatQ Indicators
Provide context on possible malicious activity by matching Splunk Events with ThreatQ indicators. Matching is customizable by ThreatQ indicator status and score to meet the differing needs of customer environments and workflows.
Reporting of Matches in Splunk back to ThreatQ as Sighting Events
Sighting events in ThreatQ will show indicator matches from Splunk and will be grouped by indicator.
Workflow Actions
Users can modify ThreatQ data based on any indexed indicators within Splunk.
Workflow actions include:
- ThreatQ: Add Indicator
- ThreatQ: Update Indicator Status
- ThreatQ: Lookup Indicator
- ThreatQ: Mark as False Positive
- ThreatQ: Mark as True Positive
Note: Support for ingesting ThreatQ data into Splunk Enterprise Security will be leveraged in the additional workflows provided within that application.
Deployability
The ThreatQuotient App for Splunk has been re-designed to scale to our customers' growing needs, supporting installations in Splunk deployments of all sizes.
Release Notes
Version 3.0.3
ThreatQ Add-on 3.0.3
- Release Notes: Upgraded Splunk AoB version to v4.5.0.
Version 3.0.2
ThreatQ Add-on 3.0.2
- Release Notes: Added compatibility for Splunk 10.
- Build Link: https://drive.google.com/file/d/1J6kxG8fhaba5q0ZMbMK2wFXaEEETc-gQ/view?usp=drive_link
Compatibility Matrix:
- Browser: Google Chrome, Mozilla Firefox
- OS: Platform Independent
- Splunk Enterprise version: 10.0.x, 9.4.x, 9.3.x, 9.2.x and 9.1.x
- Supported Splunk Deployment: Splunk Cluster, Splunk Standalone, and Distributed Deployment
Version 3.0.1
ThreatQ Add-on 3.0.1
- Fixed the data format causing issues for dashboard panels.
Compatibility Matrix:
- Browser: Google Chrome, Mozilla Firefox
- OS: Platform Independent
- Splunk Enterprise version: 9.4.x, 9.3.x, 9.2.x and 9.1.x
- Supported Splunk Deployment: Splunk Cluster, Splunk Standalone, and Distributed Deployment
Version 3.0.0
3.0.0
- Resolved cloud compatibility issues.
- Resolved a data case sensitivity issue.
- Added support for Splunk Enterprise and Cloud versions 9.3.x and 9.4.x.
- Updated the minimum ThreatQ version to 5.11.0.
Version 2.8.0
ThreatQ Add-on 2.8.0
- Release notes
- Upgraded Add-on Builder framework version to 4.2.0
- Fixed Splunk connectivity issues by replacing the session key with credentials and requests library
Version 2.7.0
Upgraded Add-on Builder framework version to 4.1.3.
Version 2.6.0
- Moved “Alert Actions” and “Workflow Actions” to the ThreatQuotient App for Splunk
- Restricted initial data collection to last 90 days
- Removed usage of Proxy while checking KVStore status
- Removed the “Verify SSL Certificate” checkbox from the Configuration page. Navigate to the
$SPLUNK_HOME/etc/apps/TA- threatquotient-add-on/bin/threatq_const.pyand change VERIFY_SSL to False if certificate validation is not required.
Version 2.5.1
- minor bug fix
Version 2.5.0
ThreatQ Splunk Add-on App 2.5.0:
- Minor bug fixes
- Updated the app with AOB version 4.1.0
Version 2.4.1
Removed Whitelisted status as the default option within the Indicator Status of the input configuration when creating a new input.
Version 2.4.0
- Fixed an issue where attempting to fetch import-timeout resulted in a 401 error on the Heavy Forwarder
- Added custom fields and custom attributes support to the KVStore.
Version 2.3.0
- Fixed an authentication issue with kvstore configuration
- Malware Family attribute data will be stored in the kvstore if available for ThreatQ Indicators
- Removed username and password dependency for kvstore data collection for the localhost
Version 2.2.0
TA-threatquotient-add-on: Version 2.2.0
- Added new Splunk KVStore Rest configuration tab. This configuration tab is required if users save data to KVStore.
- Additional options Enable Index and Pull all Indicators available under input configuration
Version 2.1.0
TA-threatquotient-add-on: Version 2.1.0
- Import timeout is now configurable from UI
- PaginationsupportforinitialimportofThreatQdata
- Updated default frequency for ThreatQ Exports from 300 to 900
Version 2.0.0
Python 3 Support :
The ThreatQuotient App for Splunk and ThreatQuotient Add-on for Splunk is now compatible with Python 3. Supported versions include:
Splunk 7.2.x
Splunk 7.3.x
Splunk 8.x (Python 2 & 3)
Notable Bugs Fixed:
We have fixed an issue with the Add-on App where:
Creating an indicator in Splunk would occasionally result in the creation of an indicator with an incorrect type within the ThreatQ platform.
ThreatQuotient Splunk Support Documentation:
See the Splunk Documentation located on the ThreatQuotient Help Center for more information.
https://helpcenter.threatq.com/Content/Developer_Resources/Integrations/About_Splunk_Integrations.htm.
Version 1.1.2
Certificate-based errors will no longer appear in the Splunk log. They will now be added as a warning in the ThreatQ application log.
Version 1.1.1
We have fixed an issue where Splunk credential parsing was generating a 500 error and leaving the configuration page in an unusable state.
Version 1.1.0
Common Information Model (CIM) Support
The ThreatQuotient Splunk integration now includes support for the Common Information Model (CIM). For users who map third party data (firewall events, logs, for example) to Splunk's data models in CIM, this App provides optimized performance by leveraging those data models. As such, we now support the CIM Data Model Search.
Enterprise Security (ES) Support Enhancement
Enterprise Security (ES) support now provides single-click enablement within the ThreatQ App for Splunk application settings.
Notable Bugs Fixed
We have fixed issues where:
Users could not re-enable and use searches without crashing Splunk ES search head.
threatq_match_indicators searches failed to complete. All saved search queries for matching can now accept an optional argument called indicator_types that allows users to match only specific indicator types from ThreatQ.
Version 1.0.1
Version 1.0.1:
During authentication, users can now specify whether to verify or disable the SSL certificate.