icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Verizon Autonomous Threat Hunting Alerts Add-on
SHA256 checksum (verizon-autonomous-threat-hunting-alerts-add-on_123.tgz) aeb2749eea01e60c2cbb97b45ac783d6d49e7d3cf59c48da2da5012852c57446
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Verizon Autonomous Threat Hunting Alerts Add-on

Splunk Cloud
Overview
Details
The Verizon Autonomous Threat Hunting Alerts Add-on provides an integration between Splunk and the Verizon Autonomous Threat Hunting service. It implements the indexing of communications flagged by Verizon Autonomous Threat Hunting as suspicious into Splunk, using the Verizon Autonomous Threat Hunting v2 API. This Add-on is meant to be used with the Verizon Autonomous Threat Hunting App for Splunk (https://splunkbase.splunk.com/app/3711), since it follows the v2 API JSON format for the ingested events.

The Verizon Autonomous Threat Hunting engine uses groundbreaking machine learning and data science techniques, cyber threat intelligence indicators from a variety of sources, and the historical patterns of communications of each organization's network to determine a very small subset of potentially infected or compromised machines. This technology is known for generating very accurate results and is able to extrapolate from existing threat data to detect novel threats before other existing security products.

Introduction

The Verizon Autonomous Threat Hunting Alerts Add-on provides an integration between Splunk and the Verizon Autonomous Threat Hunting service. It implements the indexing of communications flagged as suspicious by Verizon Autonomous Threat Hunting to Splunk events, using the Verizon Autonomous Threat Hunting v2 API. This Add-on is meant to be used with the Verizon Autonomous Threat Hunting App for Splunk, since it follows the v2 API JSON format for the ingested events.

The Verizon Autonomous Threat Hunting engine uses groundbreaking machine learning and data science techniques, cyber threat intelligence indicators from a variety of sources, and the historical patterns of communications of each organization's network to determine a very small subset of potentially infected or compromised machines. This technology is known for generating very accurate results, and is able to extrapolate from existing threat data to detect novel threats before other existing security products.

Upon receiving those suspicious communications, organizations' information security monitoring, digital forensics and/or incident response teams can then focus on the analysis of the small group of internal machines that originated them.

Terms of Use

You are not allowed to use this App unless you have an existing Service or Trial contract with Verizon for the use of this product Verizon Autonomous Threat Hunting and have reviewed and agreed to all the contractual terms of that contract.

Installation and Setup

This application was built using the Splunk Add-on Buider version 2.2.0, and has the following requirements to work properly:

After ensuring that all the above requirements are met, you should install the add-on according to the Splunk documentation.

After installation you should restart Splunk as requested, go to the Inputs tab and click on Create New Input. Then, fill in the following fields:

  • Name: a user-defined unique name for this Verizon Autonomous Threat Hunting alert input;

  • Interval: the frequency with which the add-on will check for new alerts, the recommended value is 600 seconds;

  • Index: select which Splunk index to save events into.

  • API Key: the Verizon Autonomous Threat Hunting API key as generated on the Verizon Autonomous Threat Hunting Portal.

  • Organization IDs: this optional field can contain a list of Verizon Autonomous Threat Hunting API organization IDs to collect alerts from. This is particularly useful for MSSPs or resellers which might have access to alerts from several organizations. Leaving this blank will mean all alerts from all organizations will be indexed into Splunk.

The Splunk cluster member into which you installed this add-on will need to have HTTPS access to api.niddel.com in order to download alerts. If necessary, go to the Configuration tab and set the proxy hostname or IP, post, username and password to ensure the communication is allowed.

Clean and re-download all alerts

It is possible delete and re-download all Niddel Magnet alerts, in essence forcing the Verizon Autonomous Threat Hunting Add-on for Splunk to start its importing from scratch. You should not do this unless directed by the Verizon Autonomous Threat Hunting Support staff, though.

The procedure consists of just two steps:
Delete all Existing Alerts;
Delete the Add-on's Download Checkpoint KV Store Collection.

Delete all existing alerts

This step is necessary to avoid having duplicate events indexed into Splunk.

Make sure you are logged in to Splunk as a user with the delete_by_keyword capability. Then, execute the following search:

sourcetype=niddel:alert | delete

If the events are stored into protected indexes, such as main and _internal, read this Splunk Answers entry for additional steps that might be necessary.

Please be advised that delete will not reclaim the disk space that was being used by the events. You can learn more about this command and how to actually reclaim the disk in its manual page.

Delete the Add-on's download checkpoint KV Store collection

The add-on keeps track of which alerts have already been downloaded by storing checkpoint information into the KV store, as per the Splunk Add-on Builder's helper object methods.

In order to delete this and force all alerts to be re-downloaded, you'll need the curl command-line tool. This is the command you'll need to issue at an operating system command prompt:

curl -k -su 'USERNAME' -X DELETE https://HOSTNAME:8089/servicesNS/nobody/TA-Niddel_Magnet_Alerts_Add-on/storage/collections/data/TA_Niddel_Magnet_Alerts_Add_on_checkpointer

Be sure to replace USERNAME for your Splunk user ID and HOSTNAME for the IP address or hostname of the Splunk server where the Add-on is installed. You will be prompted for your Splunk password.

Troubleshooting

The TA will generate detailed logs of its activity to $SPLUNK_HOME/var/log/splunk/ta_niddel_magnet_alerts_add_on_niddel_magnet_alerts.log. By default Splunk indexes this into the _internal index, which allows the following search to be used to view its contents:

index=_internal source="*/ta_niddel_magnet_alerts_add_on_niddel_magnet_alerts.log"

If you have problems, make sure you have a valid API key and that a proxy is correctly configured if needed. Also, ensure your proxy is not blocking access to the Verizon Autonomous Threat Hunting API HTTPS endpoint at https://api.niddel.com.

Finally, you can always open a support ticket by sending an e-mail message to support.splunk@niddel.com.

License

Verizon Autonomous Threat Hunting Alerts Add-on

Copyright 2018, Verizon.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Release Notes

Version 1.2.3
Sept. 10, 2019
  • Updated 'magnetsdk2' to version 1.6.6
10
Installs
344
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.