The Verizon Autonomous Threat Hunting Alerts Add-on provides an integration between Splunk and the Verizon Autonomous Threat Hunting service. It implements the indexing of communications flagged as suspicious by Verizon Autonomous Threat Hunting to Splunk events, using the Verizon Autonomous Threat Hunting v2 API. This Add-on is meant to be used with the Verizon Autonomous Threat Hunting App for Splunk, since it follows the v2 API JSON format for the ingested events.
The Verizon Autonomous Threat Hunting engine uses groundbreaking machine learning and data science techniques, cyber threat intelligence indicators from a variety of sources, and the historical patterns of communications of each organization's network to determine a very small subset of potentially infected or compromised machines. This technology is known for generating very accurate results, and is able to extrapolate from existing threat data to detect novel threats before other existing security products.
Upon receiving those suspicious communications, organizations' information security monitoring, digital forensics and/or incident response teams can then focus on the analysis of the small group of internal machines that originated them.
You are not allowed to use this App unless you have an existing Service or Trial contract with Verizon for the use of this product Verizon Autonomous Threat Hunting and have reviewed and agreed to all the contractual terms of that contract.
This application was built using the Splunk Add-on Buider version 2.2.0, and has the following requirements to work properly:
Splunk 6.5 or above;
Valid Verizon Autonomous Threat Hunting API Magnet API key made available to customers or evaluation users. If you are currently neither a customer nor an evaluation user, contact us at firstname.lastname@example.org.
After ensuring that all the above requirements are met, you should install the add-on according to the Splunk documentation.
After installation you should restart Splunk as requested, go to the
Inputs tab and click on
Create New Input. Then, fill in the following fields:
Name: a user-defined unique name for this Verizon Autonomous Threat Hunting alert input;
Interval: the frequency with which the add-on will check for new alerts, the recommended value is 600 seconds;
Index: select which Splunk index to save events into.
API Key: the Verizon Autonomous Threat Hunting API key as generated on the Verizon Autonomous Threat Hunting Portal.
Organization IDs: this optional field can contain a list of Verizon Autonomous Threat Hunting API organization IDs to collect alerts from. This is particularly useful for MSSPs or resellers which might have access to alerts from several organizations. Leaving this blank will mean all alerts from all organizations will be indexed into Splunk.
The Splunk cluster member into which you installed this add-on will need to have HTTPS access to api.niddel.com in order to download alerts. If necessary, go to the
Configuration tab and set the proxy hostname or IP, post, username and password to ensure the communication is allowed.
It is possible delete and re-download all Niddel Magnet alerts, in essence forcing the Verizon Autonomous Threat Hunting Add-on for Splunk to start its importing from scratch. You should not do this unless directed by the Verizon Autonomous Threat Hunting Support staff, though.
The procedure consists of just two steps:
Delete all Existing Alerts;
Delete the Add-on's Download Checkpoint KV Store Collection.
This step is necessary to avoid having duplicate events indexed into Splunk.
Make sure you are logged in to Splunk as a user with the
delete_by_keyword capability. Then, execute the following search:
sourcetype=niddel:alert | delete
If the events are stored into protected indexes, such as
_internal, read this Splunk Answers entry for additional steps that might be necessary.
Please be advised that
delete will not reclaim the disk space that was being used by the events. You can learn more about this command and how to actually reclaim the disk in its manual page.
The add-on keeps track of which alerts have already been downloaded by storing checkpoint information into the KV store, as per the Splunk Add-on Builder's helper object methods.
In order to delete this and force all alerts to be re-downloaded, you'll need the curl command-line tool. This is the command you'll need to issue at an operating system command prompt:
curl -k -su 'USERNAME' -X DELETE https://HOSTNAME:8089/servicesNS/nobody/TA-Niddel_Magnet_Alerts_Add-on/storage/collections/data/TA_Niddel_Magnet_Alerts_Add_on_checkpointer
Be sure to replace
USERNAME for your Splunk user ID and
HOSTNAME for the IP address or hostname of the Splunk server where the Add-on is installed. You will be prompted for your Splunk password.
The TA will generate detailed logs of its activity to
$SPLUNK_HOME/var/log/splunk/ta_niddel_magnet_alerts_add_on_niddel_magnet_alerts.log. By default Splunk indexes this into the
_internal index, which allows the following search to be used to view its contents:
If you have problems, make sure you have a valid API key and that a proxy is correctly configured if needed. Also, ensure your proxy is not blocking access to the Verizon Autonomous Threat Hunting API HTTPS endpoint at
Finally, you can always open a support ticket by sending an e-mail message to email@example.com.
Verizon Autonomous Threat Hunting Alerts Add-on
Copyright 2018, Verizon.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.