The Stamus Networks App for Splunk enables threat hunters, incident responders and other security practitioners who use Splunk to tap into the power of Stamus Network Detection and Response (Stamus NDR) or Suricata to more effectively do their job.
The Stamus Networks App for Splunk allows Splunk Enterprise users to extract information and insights from both the Stamus NDR and open source Suricata sensors. It provides dashboards and reports but also a set of commands to interact with Stamus NDR via its REST API.
Sources of the App are available on Github.
Some visualizations depend on Timeline App and URL Toolbox that will have to be installed if not present on your Splunk® instance.
Stamus Network Detection and Response users need to setup the connectivity with their Stamus Security Platform (SSP). To do so, you need to create a file local/ssp.conf
under the application directory (/opt/splunk/etc/apps/stamus_for_splunk
usually) and setup the following:
[config]
api_key = SSP_TOKEN
base_url = https://SSP_ADDRESS
check_tls = no
The SSP_TOKEN
can be generated from Stamus Security Platform by going to Account Settings
via the user icon on the top right and selecting Edit token
. Only read access is necessary so a user with low privilege can be used.
Stamus NDR features a Host Identification module that builds identity cards of IP addresses seen
in the network without storing all raw events. This provides a concise view of the major attributes that can be linked to an IP address.
An host identification entry includes:
All this information is associated with a first-seen and last-seen timestamp, so it is possible to know
precisely when a username or a HTTP user agent was first seen on a given IP address.
To get software version of all HTTP server in a network (here internet
):
| snhostsearch filter="services.values.app_proto=http net_info.agg=internet"| spath "services{}.values{}.http.server" | top "services{}.values{}.http.server"
To get all hosts that are not running a version curl:
| snhostsearch filter="http_user_agent.agent!=curl*" | spath http_user_agent{}.agent output=agent | spath ip | top ip, agent
The snhostfilter
commands allow you to select only events where src_ip
or dest_ip
is in the host ID set defined by the filter.
The following search returns all alerts for hosts running a service on port 443.
event_type="alert" | snhostfilter filter="services.port=443"
The snhostlookup
lookup resolves ip to hostname (and reverse) using the hostname information collected by SSP.
The following search returns all alert events and resolve destination ip to hostname.
event_type="alert"| lookup snhostlookup ip as dest_ip| stats count by hostname
The threat radar inside Stamus NDR generates events with type stamus
that are high fidelity events generated from signatures or custom algorithms. These events are also mapped to the cyber kill chain to identify the phase of the attack.
Get threat by network and use snthreatfilter
to do threat_id
resolution:
event_type="stamus" | eval Network = if('stamus.asset_net_info' == "", "Unknown", 'stamus.asset_net_info') | snthreatfilter | stats dc(stamus.asset) as Assets by Network, threat_name
You can also lookup the Threat Family information via the snthreatfamilylookup
:
event_type="stamus" | lookup snthreatfamilylookup family_id as stamus.family_id | top family_name
A new lookup to fetch signature definition from Stamus Security Platform has been added. Integration with complex infrastructure and Splunk Enterprise Security has been improved.
Fix for deployment where stamus_index macros that was missing.
Add a file transfer information dashboard for Suricata and Stamus Networks users.
Improve the CIM support.
This release introduces:
- 2 new anomaly dashboards based on NSM and host ID data for Scirius Security Platform.
- 1 anomaly dashboard based on NSM data for Suricata sensors.
Fix errors and warnings found by the application checker.
Initial release.
Features:
- dashboards for Suricata and Scirius Security Platform from Stamus Networks
- hostidsearch: search host identification entries in Scirius Security Platform
- hostidfilter: filter query on host matching a request done in host identification entries
- stamusthreatfilter: resolves Stamus threat id to Stamus threat name
- hostidlookup: do ip to hostname resolution and reverse using host identification data
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.