リスクリストの管理

リスクリストの概要

Risk lists can be used to correlate and enrich events. For each element in the risk list (ex an IP number, a URL or a hash) there is a risk score and information about why the score has been set.

対応関係

Any risklist that is configured is downloaded to the Splunk server and processed locally. Part of the information is inserted into the Threat Intelligence framework that is part of Splunk Enterprise Security. The framework maintains lists of Indicators of Compromise (IOCs) from external sources (such as Recorded Future).

If an event matches an entry of the appropriate list it is flagged for possible further action. Examples of further action are correlation searches such as "Threat Activity Detected" rule. Events matching this rule will be highlighted as Notable events in Splunk Enterprise Security.

エンリッチメント

Any downloaded risklist is also stored as a lookup table. Recorded Future's Add-on for Spunk Enterprise Security has pre-configured save searches that will look at notable events and create new notable events for any event where additional data is available. The new event will contain additional information such as the Recorded Future Risk Score and details of why this risk has been assigned to the IOC.

Default risklists

既定では、アプリは 4 つの既定のリスク リストが事前に構成された状態で出荷されます。

  • IP番号
  • ドメイン名
  • URL (英語)
  • ハッシュ

If you have Fusion access it's possible to define and read additional risk lists.

Manage risklists

Navigate to Configuration->Inputs. This will show you all configured inputs (both risk lists and alert monitoring). Clicking on the >-sign will expose additional information about the list.

Default Risklists

Under the Actions drop-down it's possible to enable/disable a list, delete, clone or edit it.

Add or modify risklists downloads

To create additional risk list, click on the green "Create New Input" button and select Recorded Future risk list.

Add Risklist

意味 コメント
名前 Risk list name within the Splunk instance. The lookup file will be named <name>.csv.</name>  
The list will be checked for updates after this many seconds. This should be set to 300. This specifies how often the list is checked. Updates only occur if the list has been updated.
インデックス The modular input produces statistics when running. Set the index where these will be stored. Make sure to select an index with correct role assignments - leave to main/default if you are unsure.
リスク・リスト・カテゴリー リスク・リストにデータがある要素の種類を選択します。 IP、ドメイン、ハッシュ、脆弱性、または URL
Fusion ファイル The path to the Fusion risk list. If the list is to used as a lookup the Fusion Flow must be defined to produce an uncompressed csv file. Must correspond to a defined Fusion file. If this field is left blank the default risk list for the category will be used.

新しいリスクリストが設定されると、そのリスクリストがダウンロードされ、Splunkの脅威インテリジェンスフレームワークで利用できるようになります。 通常、これは数分で行われます。 完了すると、リスクリストは疑わしいIOCの検出に使用されます。

ただし、エンリッチメントを有効にするには、新しい相関検索が必要です。

  1. [設定]-[>Seaches、レポート、アラート]に移動します
  2. 「Type: All」と「App: Recorded Future Add-on for Splunk ES」を選択します。
  3. Locate "Threat - RF IP Threatlist Search - Rule" (or corresponding Domain, Hash or URL depending on what type of risklist it is).
  4. 「編集」ドロップダウンメニューで、「クローン」を選択します。
  5. Change the "New Title" field to something sensible, ex "Threat - RF IP My Custom Threatlist Search - Rule".
  6. 説明の変更を検討してください。
  7. [アクセス許可] が [複製] に設定されていることを確認します。
  8. [設定]-[>Seaches、レポート、アラート]に移動します
  9. 「Type: All」と「App: Recorded Future Add-on for Splunk ES」を選択します。
  10. 新しく作成した検索をクリックします。
  11. 検索を変更します。
    1. Change the first parameter of the macro (ex rf_ip_risklist) to the name of the new risklist.
  12. セーブ