icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Verizon Autonomous Threat Hunting App for Splunk
SHA256 checksum (verizon-autonomous-threat-hunting-app-for-splunk_218.tgz) 21416b8772dc00ad6f343001242a30ed4003f4a6c72afd9da16b7ae7fa1bfda1 SHA256 checksum (verizon-autonomous-threat-hunting-app-for-splunk_217.tgz) 4dd814623d42b216f0af4a99c9996344e81f5e09ba703ce49368e57101798e61
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Verizon Autonomous Threat Hunting App for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The Verizon Autonomous Threat Hunting App for Splunk provides an integration between Splunk and the Verizon Autonomous Threat Hunting service. It implements dashboards to visualize the events ingested using the Verizon Autonomous Threat Hunting Alerts Add-on (https://splunkbase.splunk.com/app/3710). It also allows the collection and submission of statistical summaries extracted from the Splunk log data to the Verizon Autonomous Threat Hunting processing engine.

The Verizon Autonomous Threat Hunting engine uses groundbreaking machine learning and data science techniques, cyber threat intelligence indicators from a variety of sources, and the historical patterns of communications of each organization's network to determine a very small subset of potentially infected or compromised machines. This technology is known for generating very accurate results and is able to extrapolate from existing threat data to detect novel threats before other existing security products.

The Verizon Autonomous Threat Hunting App for Splunk provides an integration between Splunk and the Verizon Autonomous Threat Hunting service. It implements dashboards to visualize the events ingested using the Verizon Autonomous Threat Hunting Alerts Add-on. It also allows the collection and submission of statistical summaries extracted from the Splunk log data to the Verizon Autonomous Threat Hunting engine.

The Verizon Autonomous Threat Hunting engine uses groundbreaking machine learning and data science techniques, cyber threat intelligence indicators from a variety of sources, and the historical patterns of communications of each organization's network to determine a very small subset of potentially infected or compromised machines. This technology is known for generating very accurate results, and is able to extrapolate from existing threat data to detect novel threats before other existing security products.

Upon receiving those suspicious communications, organizations' information security monitoring, digital forensics and/or incident response teams can then focus on the analysis of the small group of internal machines that originated them.

Terms of Use

You are not allowed to use this App unless you have an existing Service or Trial contract with Verizon for the use of this product Verizon Autonomous Threat Hunting and have reviewed and agreed to all the contractual terms of that contract.

Pre-Requisites and Installation

This application has the following requirements to work properly:

  • Splunk 6.5 or above;

  • Valid Verizon Autonomous Threat Hunting API key made available to customers or evaluation users. If you are currently neither a customer nor an evaluation user, contact us at contact@niddel.com;

  • CIM-compliant log data from perimeter firewalls, web proxy or URL filtering solutions indexed in Splunk that allow traffic originating from your endpoints towards the outside world to be analyzed. It is also critical that the CIM fields be visible on a system level for this to work;

  • The list of all the public IPv4 ranges owned by your organization, such as those used in DMZs;

  • The list of all DNS domains used by your organization, including internal domains used in Active Directory and internal web applications;

  • If you are a Splunk Enterprise user, ensure the maxchars entry of the kv stanza of limits.conf is equal to or greater than 102400. If you are a Splunk Cloud customer, please contact support to ensure this is properly configured on your cluster.

  • If you are a Splunk Enterprise user, ensure the maxresultrows entry of the searchresults stanza of limits.conf is equal to and NOT less than 50000. This limit should not exceed 50000. Setting this limit higher than 50000 causes instability.

After ensuring that all the above requirements are met, you should install the app according to the Splunk documentation.

After installation you should restart Splunk as requested, navigate to the Verizon Autonomous Threat Hunting app and you will be directed to the Credentials setup page.

Credentials Setup

The first thing that needs to be set up is credentials and connectivity to the Verizon Autonomous Threat Hunting API. This setup page will need to read and write secrets to the Splunk storage passwords functionality for security reasons. Due to Splunk requirements, this means this setup page can only be fully utilized by user accounts with the admin_all_objects capability.

  • API Key should be set to a valid Verizon Autonomous Threat Hunting API key.

  • Proxy Server Address and Proxy Server Port should be filled respectively with an IP address or hostname and a TCP port if an HTTPS proxy should be used to contact api.niddel.com from the Search Head were this app was installed. Otherwise, leave these fields blank.

  • Username and Password should be filled only if a proxy is in use and it requires authentication. Otherwise, leave these fields blank.

When the Save button is clicked, the app will test its connectivity and attempt to use the provided API key and/or proxy settings to contact the Verizon Autonomous Threat Hunting API. The settings will not be saved unless this test succeeds.

Log Collection Setup

Once the credentials have been set up, you can configure the app to collect statistical summaries based on the log data indexed into Splunk and submit them to the Verizon Autonomous Threat Hunting engine for analysis.

  • Organization selects the organization or sub-organization for which you want to submit logs to the Verizon Autonomous Threat Hunting engine. If the configured API key has access to multiple organizations, since the app version 2.1.5, multiple organizations can submit logs once the settings and saved searches are stored separately within the Splunk instance.

Network Topology:

Since the app version 2.1.5, the network topology settings is collected from the Verizon Autonomous Threat Hunting and saved to the local Splunk deployment settings.

  • Public IPv4 ranges must contain a list of public subnets that are owned by your organization, in CIDR notation. It is critical that all networks with valid IP address ranges, such as DMZs, be listed here so that the app can correctly separate outbound traffic from inbound and internal traffic.

  • Public and internal DNS domains must contain a list of DNS domains that are ownned by your organization. It is critical that all domains used publicly and internally are included. For example, domains used in Active Directory, internal web systems, public e-mail addresses and public websites should be listed.

  • Countries defines the countries present in the organization network topology. This information is highly relevant for the Verizon Autonomous Threat Hunting engine learns about the geographical context of outbound traffic against whitelists and threat intelligence indicators of compromise.

  • Recursive DNS Servers, Web Proxy servers, Mail Servers and Exclude Public IPv4 ranges provides more clarity to the Verizon Autonomous Threat Hunting on roles of internal network assets owned by your organization and helps prevent the generation of false positives alerts during the automated threat hunting detection.

Upgrading from versions previous to 2.1.5

Before the app version 2.1.5, the information for Public IPv4 ranges and Public and internal DNS domains were configured locally in the Splunk deployment. If you are upgrading to the version 2.1.5 or newer, a similar screen to the screenshot below will be presented in order to compare and review the network topology stored by the older version and new settings collected from the Verizon Autonomous Threat Hunting engine.

Once you have compared and revised the network topology settings, you can click on Delete Local Settings button and the following warning will be presented as a confirmation prior to the deletion.

General Settings

  • Perform reverse DNS lookup of source IPs controls whether this app attempts to resolve the hostnames of the internal endpoints seen in the log data when necessary. See Reverse DNS Resolution below for more details.

  • Collect user IDs controls whether this app attempts to collect the user IDs present in the log data (as per the user CIM field).

  • Collect firewall logs must be checked if you wish firewall logs to be collected by the app and uploaded to the Verizon Autonomous Threat Hunting engine for processing. If you have established alternative ways of submitting your firewall logs or wish to use this app just to view the results of the analysis, uncheck this. Otherwise, leave it checked.

  • Firewall logs search must contain a valid Splunk search query that selects the existing perimeter firewall log data. It is important that the firewall log data be normalized according to what is described in the CIM Network Traffic data model.

  • Collect web proxy logs must be checked if you wish web proxy logs to be collected by the app and uploaded to the Verizon Autonomous Threat Hunting engine for processing. If you have established alternative ways of submitting your web proxy logs or wish to use this app just to view the results of the analysis, uncheck this. Otherwise, leave it checked.

  • Web proxy logs search must contain a valid Splunk search query that selects the existing IDS log data. It is important that the IDS log data be normalized according to what is described in the CIM Web proxy data model.

  • DNS log collection is supported since Niddel Splunk App version 2.1.4.

  • Collect DNS logs logs must be checked if you wish DNS logs to be collected by the app and uploaded to the Verizon Autonomous Threat Hunting engine for processing. If you have established alternative ways of submitting your DNS logs or wish to use this app just to view the results of the analysis, uncheck this. Otherwise, leave it checked.

  • DNS logs search must contain a valid Splunk search query that selects the existing DNS log data. It is important that the DNS log data be normalized according to what is described in the CIM DNS data model.

Reverse DNS Resolution

This app can optionally use the built-in reverse DNS lookup Splunk functionality to try to find out the hostname of each internal machine observed on the firewall logs. This will only be done if the machine hostnames are not present on the logs already and stored on src_nt_host, src_host or src CIM fields.

Having the hostname can greatly improve your team's ability to investigate suspicious communications and we highly recommend to enable this if possible. See Log Collection Setup above for details on how to enable it. This is usually not recommended for Splunk Cloud customers, since their search heads will not typically be using their on-premises corporate DNS servers for name resolution.

Great effort was taken to avoid resolving each machine more than once each hour to reduce any performance impact. Still, please monitor the performance of your Splunk cluster and of the recursive DNS server it uses after enabling this.

Troubleshooting

This app will generate detailed logs of its activity to $SPLUNK_HOME/var/log/splunk/niddel2.log. By default Splunk indexes this into the _internal index, which allows the following search to be used to view its contents:

index=_internal source="*/niddel2.log"

Web Proxy

If you have problems, make sure you have a valid API key and that a proxy is correctly configured if needed. Also, ensure your proxy is not blocking access to the Verizon Autonomous Threat Hunting API HTTPS endpoint at https://api.niddel.com.

SSL Errors

Some customers have reported SSL errors on the communication with the Verizon Autonomous Threat Hunting API, which will include the following log line:

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)

This error can be caused by proxies of next-generation firewalls that perform SSL inspection of HTTPS traffic. The solution in this case is to configure appropriate exceptions:

* https://api.niddel.com for Splunk cluster members running both the add-on and the app;
* AWS S3 API endpoints for Splunk cluster members running the app.

Finally, you can always open a support ticket by sending an e-mail message to support.splunk@niddel.com.

License

Verizon Autonomous Threat Hunting App for Splunk

Copyright 2018, Verizon.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Release Notes

Version 2.1.8
Oct. 17, 2019

* DNS log collection optmization

Version 2.1.7
Sept. 10, 2019

* Updated 'magnetsdk2' to version 1.6.6

57
Installs
450
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.