The Stamus Networks App for Splunk enables threat hunters, incident responders and other security practitioners who use Splunk to tap into the power of Scirius Security Platform (SSP) or Suricata to more effectively do their job.
The Stamus Networks App for Splunk allows Splunk Enterprise users to extract information and insights from both the Scirius Security Platform and open source Suricata sensors. It provides dashboards and reports but also a set of commands to interact with Scirius Security Platform via its REST API.
Sources of the App are available on Github.
Some visualizations depend on Timeline App that will have to be installed if not present on your Splunk® instance.
Scirius Security Platform users need to setup the connectivity with their SSP. To do so, you need to create a file local/ssp.conf
under the application directory (/opt/splunk/etc/apps/stamus_for_splunk
usually) and setup the following:
[config]
api_key = SSP_TOKEN
base_url = https://SSP_ADDRESS
check_tls = no
The SSP_TOKEN
can be generated from Scirius Security Platform by going to Account Settings
via the user icon on the top right and selecting Edit token
. Only read access is necessary so a user with low privilege can be used.
Scirius Security Platform features a Host Identification module that builds identity cards of IP addresses seen
in the network without storing all raw events. This provides a concise view of the major attributes that can be linked to an IP address.
An host identification entry includes:
All this information is associated with a first-seen and last-seen timestamp, so it is possible to know
precisely when a username or a HTTP user agent was first seen on a given IP address.
To get software version of all HTTP server in a network (here internet
):
| snhostsearch filter="services.values.app_proto=http net_info.agg=internet"| spath "services{}.values{}.http.server" | top "services{}.values{}.http.server"
To get all hosts that are not running a version curl:
| snhostsearch filter="http_user_agent.agent!=curl*" | spath http_user_agent{}.agent output=agent | spath ip | top ip, agent
The snhostfilter
commands allow you to select only events where src_ip
or dest_ip
is in the host ID set defined by the filter.
The following search returns all alerts for hosts running a service on port 443.
event_type="alert" | snhostfilter filter="services.port=443"
The snhostlookup
lookup resolves ip to hostname (and reverse) using the hostname information collected by SSP.
The following search returns all alert events and resolve destination ip to hostname.
event_type="alert"| lookup snhostlookup ip as dest_ip| stats count by hostname
The Scirius Threat Radar inside SSP generates events with type stamus
that are high fidelity events generated from signatures or custom algorithms. These events are also mapped to the cyber kill chain to identify the phase of the attack.
Get threat by network and use snthreatfilter
to do threat_id
resolution:
event_type="stamus" | eval Network = if('stamus.asset_net_info' == "", "Unknown", 'stamus.asset_net_info') | snthreatfilter | stats dc(stamus.asset) as Assets by Network, threat_name
You can also lookup the Threat Family information via the snthreatfamilylookup
:
event_type="stamus" | lookup snthreatfamilylookup family_id as stamus.family_id | top family_name
- New setting to define index to use for all requests
- Fix for some REST API call
- improve Suricata IDS and NSM dashboards
- better probe admin dashboard
- better drilldown
This release introduces:
- 2 new anomaly dashboards based on NSM and host ID data for Scirius Security Platform.
- 1 anomaly dashboard based on NSM data for Suricata sensors.
- Add drill down to dashboards
- Minor display fixes in dashboards
- Add compatibility with Splunk 7.x
- Better navigation
- Update colors
- Fix admin dashboard for multiple probes
- CIM 4.x compatibility
- keys option added to snhostfilter for easy cross source filtering
- rename all commands with a sn prefix for better completion
- performance optimizations of dashboards
- Improve IDS dashboards
- Fix timestamp pickers in Suricata admin Dashboard
Fix errors and warnings found by the application checker.
Initial release.
Features:
- dashboards for Suricata and Scirius Security Platform from Stamus Networks
- hostidsearch: search host identification entries in Scirius Security Platform
- hostidfilter: filter query on host matching a request done in host identification entries
- stamusthreatfilter: resolves Stamus threat id to Stamus threat name
- hostidlookup: do ip to hostname resolution and reverse using host identification data
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.