Skip to main content

ThreatDown Cloud Remediation app for Splunk

Updated: 

The ThreatDown Cloud Remediation app integrates Splunk with Nebula. This application works with the Technical Add-on and Dashboards App, however, their installation is not required for the Cloud Remediation app.

While using the Cloud Remediation App, it's possible to trigger and run alerts which execute corresponding actions for Endpoints and/or Suspicious Activities in your system.

Requirements

To run the Cloud Remediation app, you need:

  • An active Splunk instance.
  • User login credentials for Splunk.
  • An active Nebula platform subscription.
  • Nebula platform login credentials.
  • Technical Add-on for installed. Refer to Install the Technical Add-on for Splunk for more information.

Download and install Cloud Remediation app

To download the Cloud Remediation app:

  1. Go to the Cloud Remediation page in Splunkbase.
  2. Click on LOGIN TO DOWNLOAD. If already logged into Splunkbase, click on DOWNLOAD.
  3. Enter your Splunk user credentials.

Install the Cloud Remediation app

The location where you install the Cloud Remediation app depends on how you have set up your Splunk environment. Splunk is set up as either a single instance or distributed environment.

Splunk Enterprise Single Instance Environments

Install the Cloud Remediation app in the same location where the Splunk components, Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing add-on in a single instance environments, refer to Splunk's support article Install an add-on in a single-instance Splunk Enterprise deployment.

Splunk Enterprise Distributed Environments

Install the Cloud Remediation app where your Search Tier is located. For instructions on installing an add-on in a distributed Splunk Enterprise environment, refer to Splunk's support article Install an add-on in a distributed Splunk Enterprise deployment.

Configure Cloud Remediation app

Once installed, configure the Cloud Remediation app in Splunk.

  1. In Splunk, select the ThreatDown Cloud Remediation App.
  2. In the Logging tab, set the preferred Log level.
    log info.png
  3. Click the Add-on Settings tab and enter the following informationclient id and secret.png
    • Cloud Console Account Id:
      • Log in to Nebula.
      • Copy the following string of characters found in the url.
      • In Splunk, paste the characters into the Cloud Console Account Id field.
    • Cloud Console Client Id and Cloud Console Client Secret:
  4. Click Save.

Initiate scans with alert action

The alert action follows the standard Adaptive Response Framework alert action. You can send the hostnames of your endpoints to the alert action to issue threat scans. After initiating available actions, alert events are created and stored under the main index.

Events are pulled by the Technical Add-on and Dashboard app if the apps are installed and the Alerts Input is running.
al.png

To initiate a scan, go to Search > enter syntax into the Search field.

  • Usage:
    • malwarebytes" sourcetype = "mwb:mbcr" | (Write your own query here to filter the necessary hosts) | sendalert mbcr_alert param.hostname=hostmachine param.action=value
  • Arguments:
    • param.hostname - This can be a single hostname of an endpoint, or the location of a CSV file containing multiple hostnames.
    • param.action - Possible values are:
      • scan - Scans and reports only.
      • remove - Scans and quarantines any suspicious item found.
      • isolate - Performs an isolation of the endpoint.
      • isolatedesktop - Performs a desktop isolation of the endpoint.
      • isolateprocess - Performs a process isolation of the endpoint.
      • isolatenetwork - Performs a network isolation of the endpoint.
      • deisolate - Performs a de-isolation of the endpoint.
  • Examples:
    • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=scan
    • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=remove
    • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=isolate
    • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=isolatedesktop
    • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=isolateprocess
    • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=isolatenetwork
    • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=deisolate 

Initiate Suspicious Activity actions with alert action

The Suspicious Activities (SA) alert action follows the standard Adaptive Response Framework alert action. Send the hostnames of your endpoints, suspicious activity ID, and Action type name to perform actions on suspicious activities. After performing available actions, alert events are created and stored under the main index.

Events are pulled by the Technical Add-on and Dashboard app if the apps are installed and the Suspicious Activities Input is running. 

Capture2.PNG

Change the status of found suspicious activities using the following alert actions:

  • Open: Considers the process as suspicious and will continue to trigger additional detections.
  • Remediate: Treats the process as malicious and remediates the threat on the endpoint.
  • Close: Closes the suspicious activity incident with no further action. Most likely use in the case of a false positive.

We recommend to use this alert action only through the Splunk Search bar.

Usage

  • Open, Remediate, or Close:
    • | makeresults | sendalert mbcr_alert_sa param.host=<machine_name> param.action=<action_name> param.detection_id=<detection_id>

Arguments

  • param.machine_id - The machine id of the endpoint where the suspicious activity originated. Must be used only with param.action - open, remediate, or close.
  • param.detection_id - This value can be a detection id of the suspicious activity found. Must be used only with param.action - open, remediate, or close.

Examples

The following are some example Suspicious Activity actions you can use in the Splunk Search bar.

  • | makeresults | sendalert mbcr_alert_sa param.hostname=“HOSTNAME" param.action=remediate param.detection_id=123456789
  • | makeresults | sendalert mbcr_alert_sa param.hostname=“HOSTNAME” param.action=open param.detection_id=123456789
  • | makeresults | sendalert mbcr_alert_sa param.hostname=“HOSTNAME" param.action=close param.detection_id=123456789

Schedule a scan with alert action

To setup a scheduled scan using Cloud Remediation alert action, follow these steps.

  1. Go to Search > in the Search bar, filter the hostnames using your own Splunk query.
    DOC-3239-10.png
  2. After the search, click Save As > select Alert.
    DOC-3239-11.png
  3. In the Edit Alert menu, enter the following information:
    • Alert: Enter an alert name.
    • Cron Expressions: Set the time to initiate your scan.
    • Trigger Conditions: Enter a number threshold to trigger the alert. The image below shows, “Trigger an alert when the number of results is greater than 0.”
    • Action drop-down: Choose the scan/action type.
    • Hostname: Enter $result.<your_variable_name>$. In the image below, dvchost refers to the variable that contains the hostnames.
    • Click Save.
      Capture__1_.PNG
  4. To confirm your scan initiates as expected, log in to the Nebula platform and view the Tasks tab.

View scan Status in Splunk

Click Cloud Remediation from your app dashboards to see the endpoints' scan and action Status.

The scan Status types are:

  • COMPLETED
  • PENDING
  • STARTED
  • FAILED
  • TIMED_OUT
  • EXPIRED

The Action types are:

  • Scan
  • Quarantine
  • Isolate
  • Isolate_Network
  • Isolate_Process
  • Isolate_Desktop
  • Deisolate

Examples of alerts:

  • job_id=00000000-0000-0000-0000-000000000000 machine_id=00000000-0000-0000-0000-000000000000 type=job_detections timestamp=2022-09-16T23:16:46.738555797Z
  • detection_id=00000000 machine_id=00000000-0000-0000-0000-000000000000 type=sa_alert command=remediate timestamp=2022-09-16T23:16:46.738555797Z

Modular input action

The modular input action checks scan progress of initiated scans using the details stored by alert action in Splunk’s internal key-value store. For every initiated scan, the modular input action updates real time progress in the Technical Add-on. Once scans are finished, modular input updates the Cloud Remediation dashboard with new threat findings. 

After performing available alert actions, events are pulled by the Technical Add-on if the app is installed, the Alerts and Suspicious Activities Inputs must also be running. 

To check Cloud Remediation events:

  • In the New Search bar, enter:
    malwarebytes" sourcetype="mwb:mbcr"
  • In the New Search bar, enter:
    malwarebytes" sourcetype="mwb:mbcr_summary"
  • In the New Search bar, enter:
    malwarebytes" sourcetype="mwb_audit"

Errors in Cloud Remediation

The following are errors viewable in the Cloud Remediation app: 

  • Code 3: Invalid API credentials, check if credentials enter in the app are correct or review log files.
  • Code 4: Action is rejected by API. Verify the the hostname or action name parameters are correct.
  • Code 5: Unexpected error. Review logs or contact support.

Logging details for Cloud Remediation

The Scan status logs are found in the following locations:

For alert action logs:

  • $SPLUNK_HOME/var/log/splunk/mbcr_alert_modalert.log
  • $SPLUNK_HOME/var/log/splunk/mbcr_alert_sa_modalert.log

 

Return to the Nebula integration with Splunk guide.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more