Please refer to the embedded documentation in the app folder:
$SPLUNK_HOME/etc/apps/SA-Splice/appserver/static/documentation.pdf
SPLICE relies on MongoDB to store the ingested IOCs and the extracted atomic indicators. You will need to setup a MongoDB instance somewhere in your environment in order for SPLICE to work (use the regular MongoDB installation process). Ideally, you would install this MongoDB instance on the Splunk Search Head but you could alternatively install it elsewhere.
If you are planning on upgrading from a previous version of SPLICE to the v1.3.x, please read the SPLICE documentation before installation. Among other things, you should disable your currently installed version of SPLICE and also possibly migrate your customizations after you install the new version.
SPLICE does not impact your Splunk license:
collect
command which works only on already indexed data (see Automating IOC searches for details)The Modular Input "IOC - Mount point monitor" allows monitoring of directories for incoming IOCs. Those directories can be local directories or mount points with at least read-only permissions. This Modular Input will monitor .ioc and .xml files (case insensitive).
Once a new file is detected, or an existing file has been modified, the file is read and stored in the MongoDB in its original form (collection "raw"). The stored IOC is marked as "to be parsed" in order to extract from it the atomic indicators.
Please note that the name you use for the data input will be the name that is used for the IOC Sources dashboard to compare your different sources of IOCs.
TAXII defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII, through its member specifications, defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats.
TAXII is the preferred method of exchanging information represented using the Structured Threat Information Expression (STIX) language, enabling organizations to share structured cyber threat information in a secure and automated manner.
The Indicator Search form can be used to search for the existence of indicators within SPLICE. The form is searching for the saved indicators within MongoDB. The search comes in the form of a regular expression along with an option to ignore case. You may click the results to view the IOC in the IOC Viewer form.
The IOC Viewer allows you to view your stored IOCs. To retrieve an IOC, you may use any of the following fields: IOC ID (ioc_id
), Indicator ID (indicator_id
), SPLICE Indicator ID (indicator_raw_id
) and SPLICE IOC ID (ioc_raw_id
). Besides seeing the raw IOC text, you can also view IOC key-value pairs.
SPLICE provides the following set of commands :
SPLICE v1.3.5 - 2015/03/30 - Feature
iocfilter
command new flag addTime
SPLICE v1.3.4 - 2015/02/15 - Fixes
IOC Consumption
dashboardsStartTag
errorSPLICE v1.3.3 - 2015/02/10 - Fixes
iocdisplay
documentation fixesiocdisplay
command fixesSPLICE v1.3.2 - 2015/02/04 - Feature Enhancements
SPLICE v1.3.1 - 2015/02/03 - Feature Enhancements
iocs_detected_sum_index
has been created and utilized through SPLICE to allow users to easily change the summary index for detected iocsiocs_detected
IOC full sweep
workflow to search for historical hits to detected iocsTop Detected Indicator Types
dashboard panelEmailMessageObjectType
AddressObjectTye
AddressObjectType
with e-mail type coverage.URIObject
no more requires the field 'type'
and assume 'URL'
as default value.SPLICE v1.2.1 - 2014/12/20 - Maintenance release
SPLICE v1.2.0 - 2014/11/17 - Feature Enhancements
iocfilter
command new parameter displaydisabled
Indicator Search
new drop-down choiceiocsearch
command modified to exclude deactivated indicatorsioctoggle
to change the state of indicatorsiocsearch
command now supports a generic hash type hash
ioc_default_search_hash
ioc_default_search_ipv4-addr
and ioc_default_search_ipv6-addr
scheduled searches changed from src
to src_ip
and dest
to dest_ip
SPLICE v1.1 - 2014/10/08 - Public release
SPLICE v1.0 - 2014/09/01 - Restricted access release
Created by Splunk Security Practice
Created by Splunk Security Practice
Created by Splunk Security Practice
Created by Splunk Security Practice
Created by Splunk Security Practice
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.