Technical Add-on for ThreatDown in Splunk

The Technical Add-on for ThreatDown app is a prerequisite for all Nebula apps for Splunk. The app includes Common Information Model (CIM) compliant field extractions and predefined source types for multiple Nebula products making it compatible with all CIM based Splunk apps including Splunk Enterprise Security.

Download Technical Add-on from Splunkbase

1. Go to the Technical Add-on for ThreatDown page in Splunkbase.
2. Click on LOGIN TO DOWNLOAD.
3. Enter your Splunk user credentials.

Install Technical Add-on

Where you install Technical Add-on is based on your Splunk environment.

Splunk Enterprise Single Instance Environments

Install the Technical Add-on in the same location where the Splunk components, Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing add-on in a single instance environments, refer to Splunk's support article Install an add-on in a single-instance Splunk Enterprise deployment.

Splunk Enterprise Distributed Environments

Install the Technical Add-on app where your Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing an add-on in a distributed Splunk Enterprise environment, refer to Splunk's support article Install an add-on in a distributed Splunk Enterprise deployment.

Once the Technical Add-on is installed, you can now install the ThreatDown Visibility and Dashboards app, or Agentless Remediation app for your Splunk environment.

Configure Technical Add-on

Once installed, configure the Technical Add-on app in Splunk.

1. In Splunk, click Technical Add-on > Configuration.
2. In the Logging tab, set the preferred Log level.
3. Click the Add-on Settings tab and enter the following information:
   • To get your Cloud Console Account Id:
     • Cloud Console Account Id:
       • Log in to Nebula.
       • Copy the following string of characters found in the url.
         
       • In Splunk, paste the characters into the Cloud Console Account Id field.
     • Cloud Console Client Id and Cloud Console Client Secret:
       • To create Client ID and Client Secret, see Create OAuth2 credentials for Nebula.
4. Click Save.

Create Inputs for ThreatDown data

In the upper-left corner, click Inputs to configure your modular inputs into Splunk.

1. Click Create New Input and select an input to configure:
   
   • ThreatDown TA Endpoints Data: Configure this modular input in order to receive detailed data on each endpoint in Nebula. 
   • ThreatDown TA Endpoints Lite Data: Configure this modular input in order to receive general info that is aggregated about endpoints in Nebula.
   • ThreatDown TA Detections Data: Configure this modular input in order to receive data on Detections from Nebula.
   • ThreatDown TA SA Data 2: Configure this modular input in order to receive Suspicious Activity data from Nebula.
   • ThreatDown TA Audit Data: Configure this modular input in order to receive audit event data from Nebula.
   • ThreatDown TA Alerts: Configure this modular input in order to receive alerts from Nebula. 
   • ThreatDown TA Vulnerabilities Data: Configure this modular input in order to receive Vulnerability event data from Nebula. 
   • ThreatDown TA OS Patches Data: Configure this modular input in order to receive OS Patch event data from Nebula. 
   • ThreatDown TA Device Control Data: Configure this modular input in order to receive Device Control event data from Nebula. 
2. In the Name field, enter a unique name for the modular input.
3. In the Interval field, enter an interval time for how often you want Splunk to collect data. To avoid impacting Splunk server performance, we recommend interval times greater than 30 seconds.
4. In the Index drop-down, select your preferred index type.
5. Click Add. Repeat steps 1-5 for additional inputs. 

ThreatDown modular input action

The ThreatDown modular input action checks the details stored in Splunk’s internal key-value store.  Use these key values to generate technical add-on information and see the produced event examples for the following sources. Choose the index name based on your previously configured input settings.

• ThreatDown TA Endpoints Data
  • index = "*" sourcetype="mwb:ta_endpoints"
    • Produced event examples:
      

      req_hosts=desktop1 isolated_status=False suspicious_activity_status=False infected_status=False reboot_required_status=True scan_needed_status=True last_day_seen=2022-11-02T06:04:03.243683Z indicator=Offline last_user=user continent=EU country=Ireland subdivisions=Leinster city=Dublin group_name=main group policy_name=Desktop Policy os=Windows os_release_name=Microsoft Windows Server 2016 Standard update_available=False product_type=Endpoint Detection and Response machine_id=00000000-0000-0000-0000-000000000000 serial_number=0000-0000-0000-0000-0000-0000-00//data_end//

      total_count=4 isolated_count=0 scan_needed_count=1 infected_count=1 suspicious_count=0 reboot_requ

• ThreatDown TA Endpoints Lite Data
  • index = "*" sourcetype="mwb:ta_endpoints_lite"
    • Produced event example:

      total_count=4|infected=1|scan_needed=1|reboot_required=2|isolated=0|suspicious_count=0|update_available=0|group_name={"main group": 4}|policy_name={"Desktop Policy": 4}|protection_status={"protected": 3, "unprotected": 1, "scan_only": 0, "unknown": 0}|os={"windows": 3, "ios": 1, "android": 0, "linux": 0, "chromeos": 0, "macos": 0}|os_release_name={"microsoft windows 10 pro": 3, "microsoft windows server 2016 standard": 1}|indicator={"Online": 3, "Offline": 1}|product_type={"Incident Response": 1, "Endpoint Detection and Response": 3}|continent={"EU": 3, "NA": 1}|subdivisions={"Leinster": 3, "California": 1}|country={"United States": 1, "Ireland": 3}|city={"Dublin": 3, "San Francisco": 1}|last_day_seen={"0": 2, "1": 1, "7": 0, "30": 1}|

• ThreatDown TA Detections Data
  • index = "*" sourcetype="mwb:ta_detections"
    • Produced event example:

      scan_updated=2023-04-28T00:52:12Z scan_status=COMPLETED hostname=DESKTOP1.cork.lab host_ip=4.4.35.150 time_reported=2022-02-22T08:53:03.245410631Z threat_name=Spyware.PasswordStealer file_path=C:\ZOO\CHANGED\D4FFFEC8CE80EF9639E4ABF165EBB9C5-HASH-CHANGED threat_status=quarantined last_user=user threat_category=MALWARE type=file vendor_reference=https://blog.malwarebytes.com/?s=Spyware.PasswordStealer vendor=Malwarebytes Cloud Console scan_action=quarantined md5=CDC785A836EA94BBDE0FEB1A211AE4C9 mwb_detection_id=00000000-0000-0000-0000-000000000000

• ThreatDown TA SA Data 2
  • index = "*" sourcetype="mwb:ta_sa2"
    • Produced event example:

      detection_id=000000000 machine_id=00000000-0000-0000-0000-000000000000 machine_name=desktop1 level=3 status=detected last_user=user resolved=False os_type=Windows timestamp=2022-01-20T06:28:11.000Z all_tags=["shell binary copy"] paths=["/usr/bin/cp"] mitre_tactics=["(shell binary copy) Defense Evasion--TA0005"] mitre_techniques=["(TA0005) Masquerading--T1036"] //data_end/

• ThreatDown Audit Data
  • index = "*" sourcetype="mwb:ta_audit"
    • Produced event example:

      event_machine_name=desktop1 event_source_name=scan.threat event_type_name=threat.scan.success event_description=Threat Scan Success event_severity_name=information event_details={'message': 'Threat scan result received'} event_timestamp=2022-02-22T08:53:03.248046Z

• ThreatDown TA Alerts
  • index = "*" sourcetype="mwb:jobs"
    • Produced event example:

      job_id=00000000-0000-0000-0000-000000000000 machine_id=00000000-0000-0000-0000-000000000000 machine_name=desktop1 issued_by=John Scanner command=scan status=SENT issued_at=2022-09-15T23:16:46.738555797Z updated_at=2022-09-16T23:16:46.738555797Z details={"type":"ThreatScan", "remove":false}}//data_end//

• ThreatDown Vulnerabilities Data
  • index = "*" sourcetype="mwb:ta_vulnerabilities"
    • Produced event example:

      hostname=desktop1 machine_id=00000000-0000-0000-0000-000000000000 os_type=Workstation os_platform=Windows os_version=10.0.19042 os_release_name=Microsoft Windows 10 Pro cve_id=CVE-2022-35678 vendor=adobe product=Adobe Acrobat Reader DC Continuous description=CVE-2022-35678 installed_version=21.011.20039 severity=medium severity_score=47 published_at=1970-01-01T00:00:00Z created_at=2022-09-15T23:16:46.738555797Z timestamp=2022-09-15T23:16:46.738555797Z //data_end//

• ThreatDown OS Patches Data
  • index = "*" sourcetype="mwb:ta_patches"
    • Produced event example:

      hostname=desktop1 machine_id=00000000-0000-0000-0000-000000000000 os_type=Workstation os_platform=Windows os_version=10.0.19042 os_release_name=Microsoft Windows 10 Pro title=Feature update to Windows 10, version 21H2 description=Install the latest update for Windows 10: Windows 10, version 21H2. vendor=None category=upgrade severity=unknown patch_id=5017308 reboot_required=True size=unknown size_display=unknown released_at=2022-09-12T23:00:00Z created_at=2022-09-14T14:35:19.665722854Z timestamp=2022-09-14T14:35:19.665722854Z //data_end//

• ThreatDown TA Device Control Data
  • index = "*" sourcetype="mwb:ta_device_control"
    • Produced event example:

      hostname=desktop1 machine_id=00000000-0000-0000-0000-000000000000 os_type=Workstation os_platform=Windows os_version=10.0.19042 os_release_name=Microsoft Windows 10 Pro detection_id=00000000-0000-0000-0000-000000000000 threat_name=Device: USB SanDisk 3.2Gen1 USB Devie Volume Name: F: physical_disk_name=usb_stick device_id=00000000-0000-0000-0000-000000000000 disk_interface=USB manufacturer=SanDisk file_system=exFAT volume_name=F: serial_number=00000000-0000-0000-0000-000000000000 pnp_device_id=23123 block_status=read-only volume_device_path=\Device\HarddiskVolume5 scanned_at=2022-09-14T14:35:19.665722854Z reported_at=2022-09-14T14:35:19.665722854Z timestamp=2022-09-14T14:35:19.665722854Z //data_end//

Logging details for Technical Add-on

For ThreatDown data logs:

• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_audit_data.log
  
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_detections_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_endpoints_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_alerts_input.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_endpoints_lite_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_sa_data_2.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_vulnerabilities_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_os_patches_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_device_control_data.log

To setup the ThreatDown Visibility and Dashboard app for Splunk, see ThreatDown Visibility and Dashboards app for Splunk and Nebula.

Return to the Nebula integration with Splunk guide.