Overview

Details

SPLICE currently supports STIX 1.1, CybOX 2.1, OpenIOC 1.0 and 1.1 formats and provides a way of consuming IOCs in Splunk to leverage the indicators and provide greater context than common threat feeds. SPLICE can monitor local directories, or mount points, for incoming IOCs as well as TAXII feeds like Soltra Edge to periodically poll IOCs.

SPLICE was developed as a proof of concept and relies on a standalone Mongo DB to store the indicators. While SPLICE remains free to use it will probably no more evolve as Splunk Enterprise Security 3.3 now has the same capabilities and also leverage the usage of the KV Store.

Splunk Enterprise Security: https://splunkbase.splunk.com/app/263/

Please refer to the embedded documentation in the app folder:
$SPLUNK_HOME/etc/apps/SA-Splice/appserver/static/documentation.pdf

Installing SPLICE

SPLICE relies on MongoDB to store the ingested IOCs and the extracted atomic indicators. You will need to setup a MongoDB instance somewhere in your environment in order for SPLICE to work (use the regular MongoDB installation process). Ideally, you would install this MongoDB instance on the Splunk Search Head but you could alternatively install it elsewhere.

Upgrading to v1.3

If you are planning on upgrading from a previous version of SPLICE to the v1.3.x, please read the SPLICE documentation before installation. Among other things, you should disable your currently installed version of SPLICE and also possibly migrate your customizations after you install the new version.

Splunk license impact

SPLICE does not impact your Splunk license:

IOCs are stored directly in MongoDB (out of the scope of Splunk licensing)
Matching events are stored using the collect command which works only on already indexed data (see Automating IOC searches for details)
SPLICE is a free app.

Data Inputs - Mount point monitor

The Modular Input "IOC - Mount point monitor" allows monitoring of directories for incoming IOCs. Those directories can be local directories or mount points with at least read-only permissions. This Modular Input will monitor .ioc and .xml files (case insensitive).

Once a new file is detected, or an existing file has been modified, the file is read and stored in the MongoDB in its original form (collection "raw"). The stored IOC is marked as "to be parsed" in order to extract from it the atomic indicators.

Please note that the name you use for the data input will be the name that is used for the IOC Sources dashboard to compare your different sources of IOCs.

Data Inputs - TAXII Feeds

TAXII defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII, through its member specifications, defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats.

TAXII is the preferred method of exchanging information represented using the Structured Threat Information Expression (STIX) language, enabling organizations to share structured cyber threat information in a secure and automated manner.

SPLICE Form - Indicator Search

The Indicator Search form can be used to search for the existence of indicators within SPLICE. The form is searching for the saved indicators within MongoDB. The search comes in the form of a regular expression along with an option to ignore case. You may click the results to view the IOC in the IOC Viewer form.

SPLICE Form - IOC Viewer

The IOC Viewer allows you to view your stored IOCs. To retrieve an IOC, you may use any of the following fields: IOC ID (ioc_id), Indicator ID (indicator_id), SPLICE Indicator ID (indicator_raw_id) and SPLICE IOC ID (ioc_raw_id). Besides seeing the raw IOC text, you can also view IOC key-value pairs.

SPLICE Commands

SPLICE provides the following set of commands :

iocsearch : search IOC atomic indicators across your data.
iocstats : used by SPLICE dashboards to extract simple statistics out of the MongoDB.
iocfilter : evaluate chosen PCRE/regex across the stored atomic indicators
iocexportcsv : export the stored atomic indicators in a CSV file.
iocdisplay : retrieve chosen IOCs by their IDs and display them (useful to see the course of actions, the campaign, the actors, etc)

History

SPLICE v1.3.5 - 2015/03/30 - Feature
- iocfilter command new flag addTime
SPLICE v1.3.4 - 2015/02/15 - Fixes
- Fixed log messages for TAXII inputs to populate IOC Consumption dashboards
- Explained how to capture problematic IOCs for the StartTag error
SPLICE v1.3.3 - 2015/02/10 - Fixes
- iocdisplay documentation fixes
- iocdisplay command fixes
SPLICE v1.3.2 - 2015/02/04 - Feature Enhancements
- Improved STIX EmailMessage parser
- Improved STIX FileObject parser (now support Fuzzy Hashes)
SPLICE v1.3.1 - 2015/02/03 - Feature Enhancements
- Splunk Enterprise Security (ES) Integration
  - App directory name changed from "splice" to "SA-Splice"
  - Two ES Correlation Searches created:
    - Endpoint - Multiple Hosts Related to the Same IOC - Rule
    - Endpoint - Multiple IOCs related to one host - Rule
  - Default Scheduled Searches are now configured to not show as triggered alerts when matches are found (this can be re-enabled manually)
- The macro iocs_detected_sum_index has been created and utilized through SPLICE to allow users to easily change the summary index for detected iocs
- Changed the default summary index value for detected iocs to iocs_detected
- Pre-configured TAXII feeds for hailataxii.com have been added
- Added relevant CIM-related eventtypes to ioc matches
- Added relevant CIM-related tags to ioc matches
- Added IOC full sweep workflow to search for historical hits to detected iocs
- Fix of time parameters for Top Detected Indicator Types dashboard panel
- Fix of sort command that sometimes limited total returned ioc matches
- Added STIX parser for EmailMessageObjectType
- Fixed a typo in STIX parser for AddressObjectTye
- Enhanced STIX parser AddressObjectType with e-mail type coverage.
- Parser for URIObject no more requires the field 'type' and assume 'URL' as default value.
SPLICE v1.2.1 - 2014/12/20 - Maintenance release
- Fix update_taxii_last_timestamp_label() - thanks to CERT Australia for the patch!
SPLICE v1.2.0 - 2014/11/17 - Feature Enhancements
- STIX/CybOX parser externalization
- New OpenIOC parsing logic (compatible with OpenIOC v1.0 and v1.1)
- OpenIOC parser externalization
- Core code reorganization
- python-libtaxii upgraded to 1.1.104 (was: 1.1.102)
- python-stix upgraded to 1.1.1.2 (was: 1.1.1.0)
- python-cybox upgraded 2.1.0.8 (was: 2.1.0.6)
- Dashboard menus renamed (backend only)
- Documentation updates
- Ability to (de)activate atomic indicators
  - iocfilter command new parameter displaydisabled
  - Form Indicator Search new drop-down choice
  - iocsearch command modified to exclude deactivated indicators
  - new command ioctoggle to change the state of indicators
- TAXII dual authentication support with pem/key cert files
- [fix] wrong timezone used for the TAXII feeds
- iocsearch command now supports a generic hash type hash
  - The previous individual scheduled hash searches were replaced with a scheduled universal hash search called ioc_default_search_hash
  - CIM mapping for the ioc_default_search_ipv4-addr and ioc_default_search_ipv6-addr scheduled searches changed from src to src_ip and dest to dest_ip
SPLICE v1.1 - 2014/10/08 - Public release
- bug fixes
- new features
SPLICE v1.0 - 2014/09/01 - Restricted access release
- intial release