Cyware Threat Intelligence eXchange (CTIX)
Overview
Details
1. Seamlessly extract threat intelligence data from CTIX to Splunk
2. Index and categorize threat intelligence data within Splunk for ease of access
3. Deploy an intuitive dashboard for streamlined data visualization, providing key insights into holistic IOC metrics and subcategories
4. Augment Splunk index indicators with CTIX data, facilitating a layered analysis and deeper understanding of threat intelligence
ABOUT THIS APP
This add-on is intended to assist the integration of CTIX with Splunk Enterprise. This add-on is used to seamlessly pull threat indicators from CTIX to the Splunk Enterprise application. Once the add-on is successfully configured, Splunk will automatically start pulling the indicator values from CTIX and update them to the Lookup tables based on the configured Key-Value (KV) store collection.
REQUIREMENTS
- Splunk Enterprise 8.0 or above
Recommended System configuration
- Standard Splunk Enterprise configuration.
Installation in Splunk Cloud
- Same as an on-premise setup.
Installation of App
- The app can be installed in two ways.
- This app can be installed through UI using "Manage Apps" or from the command line using the following command:
$SPLUNK_HOME/bin/splunk install app $PATH_TO_TGZ/TA-ctix-<app_version_info>.spl
Note: that the version number would keep changing in the future. Format for file name TA-ctix-<version_info>.spl
- User can directly extract the app's tgz file into the “$SPLUNK_HOME/etc/apps/” folder in order to install the app.
Prerequisites
Users must create Tags in the CTIX application. This helps to successfully map them to “Saved Result Set Tag” while configuring input data to the CTIX add-on application. New Tags can be created in the “Tags” module of the CTIX application.
Users must create Rules in the CTIX application. This helps to successfully process threat data and allow the CTIX add-on application in Splunk to update them in respective lookup tables. New Rules can be created in the “Rules” module of the CTIX application.
Tags must be added to the “Save Result Set” Action in the Rule to successfully utilize them for updating Input data based on Tags.
Application Setup
- Users must complete the application setup to successfully configure and make the app functional. Users must provide the following values to enable a secure API connection between the CTIX add-on in Splunk and the CTIX application.
1) CTIX URL: This is a mandatory parameter and is required DNS address of the CTIX.
2) CTIX access key: This is a mandatory parameter and is required to access the CTIX API.
3) CTIX secret key: This is a mandatory parameter and is required to access the CTIX API.
4) Verify TLS Certificate: This is an optional parameter and is used for certificate validation while communicating with the CTIX server. Default value is set to False.
5) Proxy: This is optional and is used to set proxy details for communicating to CTIX server.
The following data would be required to setup proxy:
Proxy Type: Type of proxy to be used. Possible values: http/ socks4/ socks5
Host: Host name of the proxy server
Port: Port to connect to proxy server
Username & Password: Credentials required to connect to proxy server
Remote DNS resolution: Option to enable the DNS resolution via the proxy server
6) Log Level: This is optional and is set to INFO by default. Change it to DEBUG to enable the detailed debug logs of the connector
Finish installation
After installation, the app must be configured to automatically update indicators from CTIX to relevant Splunk Look up tables. Go to the “Inputs” tab and click the “Create New Input” to add a new data input configuration. The following details must be specified to successfully configure an Input.
Name: Give a unique name for the Input configuration.
Interval: Mention the time interval at which you want the add-on app to pull data from CTIX. This will apply only for this Input configuration.
Index: Select an index for storing the API Request and Response.
Saved Result Set Tag: Mention the tag name. This field allows you to filter data received from CTIX based on Tags. The add-on app will pull data from the
Write to Index: Specify if you want to write all API request parameters and response data to the Index along with updating the data in the respective Lookup table.
KV Store Collection Name: Specify the name of the Key-Value storage Collection to be used for Lookup. The app key-value store (KV store) provides a way to save and retrieve data within your Splunk apps as collections of key-value pairs. If there are no Collections in the specified name, the add-on will create a new Collection and add input data to it. If a specified Collection already exists, then the Input data is updated to the same Collection.
The input configuration will automatically start adding data from CTIX to the specified Splunk Lookup table.
Support
Facing issues? Send an email to support@cyware.com
Binary File Declaration
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py2/markupsafe/_speedups.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/pvectorc.cpython-37m-x86_64-linux-gnu.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/setuptools/cli-arm64.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/setuptools/cli-64.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/setuptools/gui-64.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/setuptools/cli.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/setuptools/cli-32.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/setuptools/gui-32.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/setuptools/gui.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-cyware-ctix/bin/ta_cyware_ctix/aob_py3/setuptools/gui-arm64.exe: this file does not require any source code
Release Notes
Version 3.3.2
Increased read timeout to accommodate long-running queries.
Version 3.3.1
The Cyware Threat Intelligence eXchange (CTIX) app upgrade includes minor enhancements to import data fields.
Version 3.2.5
The Cyware Threat Intelligence eXchange (CTIX) app is now upgraded using the latest version of Splunk's Add-On Builder.
Version 3.2.4
The Cyware Threat Intelligence eXchange (CTIX) app is now upgraded using the latest version of Splunk's Add-On Builder.
Version 3.2.3
The Cyware Threat Intelligence eXchange (CTIX) app is now upgraded using the latest version of Splunk's Add-On Builder.
Version 3.2.2
The Cyware Threat Intelligence eXchange (CTIX) app is now upgraded using the latest version of Splunk's Add-On Builder.
Version 3.2.1
We have enhanced the Splunk App for CTIX by updating the splunk SDK module version and increasing the timeout limit.
Version 3.2.0
This connector app is compatible with Cyware Threat Intelligence eXchange (CTIX) version 3.0 and later. We have added the following improvements to the Splunk App for CTIX to enhance the functionality and user experience:
- Added UI check to make sure CTIX Base URL is https.
Version 3.1.5
This connector app is compatible with Cyware Threat Intelligence eXchange (CTIX) version 3.0 and later. We have added the following improvements to the Splunk App for CTIX to enhance the functionality and user experience:
- Removed the configuration option to disable TLS certificate verification.
- Added UI check to make sure CTIX Base URL is https.
Version 3.1.3
This connector app is compatible with Cyware Threat Intelligence eXchange (CTIX) version 3.0 and later. We have added the following improvements to the Splunk App for CTIX to enhance the functionality and user experience:
- Renamed current tags as rules_label.
- Added tags and analyst_score to fields that can be fetched from CTIX.
Version 3.1.1
This connector app is compatible with Cyware Threat Intelligence eXchange (CTIX) version 3.0 and later. We have added the following improvements to the Splunk App for CTIX to enhance the functionality and user experience:
- Configuring the KV Store Collection Name is now optional in environments where writing to a KV store is not wanted.
- Improved debug logging.
Version 3.1.0
This connector app is compatible with Cyware Threat Intelligence eXchange (CTIX) version 3.0 and later. We have added the following improvements to the Splunk App for CTIX to enhance the functionality and user experience:
- A new dashboard that simplifies data visualization, providing insights into total IOC count, their breakdown by type or source, and other key metrics
- The Splunk-polled CTIX data has been enhanced with additional fields that provide a more detailed overview of the IOCs, thereby providing more insights into CTIX data
- The app has been enabled with the capability to enrich indicators in Splunk index from CTIX data
Version 3.0.8
This connector app is compatible with Cyware Threat Intelligence eXchange (CTIX) version 3.0 and later. If you are using CTIX on any version before 3.0, we recommend you install version 2.2.9 of this connector app.
We have added the following improvements to the Splunk App for CTIX.
- Improved support for throttling the number of API calls when the interval is configured to a very low number. Recommended interval is 300 seconds.
Version 3.0.7
This connector app is compatible with Cyware Threat Intelligence eXchange (CTIX) version 3.0 and later. If you are using CTIX on any version before 3.0, we recommend you install version 2.2.9 of this connector app.
We have added the following improvements to the Splunk App for CTIX.
- App supports pushing Saved Result Set data into an index as well as the KV store.
- Added indicator subtype to support hashes.
Version 3.0.4
This connector app is compatible with Cyware Threat Intelligence eXchange (CTIX) version 3.0 and later. If you are using CTIX on any version before 3.0, we recommend you install version 2.2.9 of this connector app.
We have added the following improvements to the Splunk App for CTIX.
- The app is now compatible with the Saved Result Set v3 action for Rule. The Saved Result Set v2 action for Rule is no longer supported.
- The following threat data fields are deprecated and are no longer supported.
- risk_severity
- criticality
Version 2.2.9
Splunk app for CTIX now supports:
- Fetching tags related to Threat Intel from CTIX
- User can choose from the list of available fields from CTIX
- Minor Bug Fixes
Version 2.2.4
The CTIX add-on app for Splunk Enterprise
- Allows users to Pull threat indicators data processed from the CTIX application.
- Allows users to configure multiple instances for pulling and updating Lookup tables based on Tags and Saved Result Sets created in the CTIX application. The complete data set can also be pulled if Tags are not specified.
- Allows users to configure multiple instances to add and store different input data into custom Lookup tables as required.
- Allows users to additionally store the Request Parameters and Response data in Index.
- Now, Lookups are stored as KV Stores instead of CSV enabling storage of large amounts of dynamic data.
- Allows replacing IOCs that already exist in the Lookup table, instead of adding them as a new record. This also helps to avoid duplication of IOCs within the same Lookup table.
- Allows users to enable/disable verification of TLS certificates
- Support for proxy configuration