SIR Observables

Neil Mitchell · ‎02-20-2020

Hello,

I am trying to find a way to have the Observables tab/field be auto-populated with information that is imported into the Description field. As it stands, we get numerous alerts imported into SIRs with the Description field populated with a lot of information. What I am trying to do is get these IOC/observable information auto-populated into the Observables tab so workflows will get fired off.

Exploring this, I found that if I add information into the IOC Scratchpad tab, this will automatically populate the Observables tab, thus firing off the workflows. Is there a way I can automate this? Meaning when information is imported from Splunk into the Description field such as: dest_ip, src_ip, can this information be auto-populated into the IOC Scratchpad so it will get populated into the Observables tab? Or circumvent the IOC Scratchpad entirely, because all I care about is getting the information that is in the Description field to get imported automatically into the Observables section.

I have found the Handle Deprecated Observable Fields business rule and was trying to see if that would solve my problem here.

Thank you,

Neil Mitchell

andy_ojha · ‎02-20-2020

Hey there - great question.

You mentioned Splunk, are you by chance using the latest `Splunk Ingestion for Security Operations` app from the Splunk Store?

There's actually two flavors of apps for the integration, depending on your setup
- Splunk Enterprise (core, as in Searching and Reporting)
- Splunk Enterprise Security (ES)

A great feature of the latest integration, is that parsing out fields and configuring field mappings is relatively trivial.

You could initially approach / test this out by taking specific fields from your Splunk alert, and mapping them to the fields you mentioned like Source IP, Destination IP, etc into the target Security Incident.

This would be evaluated by the 'Handle Deprecated Observable Fields' Business Rule, and your artifacts would be mapped to Observables that are associated to the Security Incident. You bypass the need to use the scratchpad, and parse out the large text based Description field.

Here's an example of using the new field mapping setup:

Neil Mitchell · ‎02-20-2020

Hi Andy,

Thank you for your reply. The 'Splunk Enterprise Event Ingestion for Security Operations' plugin looks exactly like what I need. I need the ability to map the fields in the description field when it comes over from Splunk (i.e., src_ip, dest_ip, etc.) to the Observables which this looks exactly like what I need. I have already installed the plugin in my Dev instance and am working to get it configured now.

andy_ojha · ‎02-20-2020

Sounds good.

I think you can avoid the exercise of parsing out the description field.

You can map the keys / fields directly as they come over for what you need, without having to parse through the Description.

This would be dependent on how data is normalized in Splunk, but here's one way you can "cheat" to force certain fields to be present in your triggered alerts:
- Leverage the "... | fields ..." command
- This way fields like Source IP, Dest IP are in your triggered alert as key:value pairs for you to consume when setting up your mapping for a given alert.

Neil Mitchell · ‎02-27-2020

Hi Andy,

An additional question I have and wanted to see if you had some insight on. I have the plugin configured and working. I am now setting up the Splunk Event Profile. The issue is, when I get to the Alert Selection tab, the options in the 'Alert List' section only show Alerts that are in the 'Search & Reporting (search)' app. However, the Alerts I need are technically sitting in a different app (not a third party app but an app that the team created). This app is where our alerts are coming from in Splunk to ServiceNow.

Is there a way to bypass this issue? Should I be creating generic Alerts as you have above in the base 'Search & Reporting (search)' app? Instead of trying to map the individual alerts coming over from Splunk?

Thank you