Anomali Reports App (for Splunk) Quick Start Guide · Generally,Bulletinsarepublishedweekly,however,ifthereisabreakingnewsinthecybersecurity world,aBreakingNewsBulletinispushedoutsideoftheweeklycadence

Anomali Reports App(For Splunk)

Quick Start GuideVersion: 1.0

November 23, 2016

Copyright Notice© 2016 Anomali, Inc. All rights reserved.

ThreatStream is a registered servicemark. Optic, AnomaliHarmony, and AnomaliReports are registered trademarks.

All other brands, products, and companynamesused hereinmaybe trademarksof their respective owners.

SupportSupport Portal https://support.anomali.com

Email [email protected]

Phone +1 844-4-THREATS

Twitter @anomali

Documentation UpdatesDate Product Version Description

11/23/2016 1.0 A new guide for AnomaliReportsApp1.0.

Anomali ThreatStream Anomali Reports App (1.0) Page 2 of 19

CONTENTSChapter 1: Introduction 5

WhoShould Download This App? 5

Chapter 2: Installing the Anomali Reports App 7System Requirements 7

Prerequisites 7

Downloading and Installing Anomali Reports App 8

Setting Up the Anomali Reports App 8

Modifying Source Types 12

Rerunning Anomali Reports App Setup 12

Uninstalling Anomali Reports App 12

Chapter 3: Using the Anomali Reports App 13Using the Anomali Reports App— In a Nutshell 13

Bulletins 16

Triaging an Event 17

Registering for ThreatStream Intelligence 19


Page 4 of 19Anomali ThreatStream Anomali Reports App (1.0)

Quick Start Guide

Chapter 1: Introduction

The Anomali Reports App for Splunk leverages threat intelligence from Anomali's ThreatStreamplatform to identify potential threats and breaches in your event data in Splunk. Your data is matchedagainst Anomali's vast database of threat intelligence in the ThreatStream cloud. Your data is alsomatched against threat intelligence downloaded locally to the app in threat Bulletins curated by theAnomali Labs team. You can scan your data against these threat Bulletins and view a scan report. Ifthe scan report shows nomatches, you can rest assured that none of the indicators of compromisewere seen in your network. Whenmatches are found, either against intelligence in the ThreatStreamcloud or in locally downloaded threat Bulletins, you can triage thematched events and take remedialactions.

About Anomali's ThreatStream PlatformAnomali's ThreatStream platform continuously gathers, categorizes, and risk ranks threat intelligenceand delivers this intelligence to the Anomali Reports App . The intelligence is based on commonindustry-accepted Indicators of Compromise (IOC) such as source and destination IP addresses, emailaddresses, domains, URLs, and so on, but is enriched with factors such as risk score to add contextand relevance to the delivered information.

Who Should Download This App?You should download this app if:

l You have a Splunk system deployed that gathers any type of network and system data.

l Youwant to leverage the latest threat intelligence to identify potential threats in your network.

l Youwant to know how well your firewall and other network defenses are holding up—not onlyaccording to the threats of yesterday but the known threats of today.

l Youwant an easy-to-scan report that provides insights into what is in your network and system logdata. Such as “Were known indicators of compromise seen in your network?”, “Were there attempts


to exfiltrate data from any systems behind your firewall?”, “Did any of your systems (behind thefirewall) make connections to C&C servers?”

l Youwant to match your local events against Anomali's vast threat intelligence database to identifybreaches.

Quick Start GuideChapter 1: Introduction


Chapter 2: Installing the Anomali ReportsApp

This chapter describes how to install the Anomali Reports App. The following topics are discussedhere:

System Requirements 7

Prerequisites 7

Downloading and Installing Anomali Reports App 8

Setting Up the Anomali Reports App 8

Modifying Source Types 12

Rerunning Anomali Reports App Setup 12

Uninstalling Anomali Reports App 12

The Anomali Reports App is packaged as a standard Splunk application for use on a Splunk searchhead.

System RequirementsAnomali Reports App installation is supported withSplunk versions 6.3.x and 6.4.x running on aLinux (64-bit) orWindows (64-bit or 32-bit) platform.

Prerequisitesl By default, the Anomali Reports App is pre-bundled with a set of threat indicators that allow you toexperience the app without signing up to receive latest threat intelligence from ThreatStream.However, you will get themost out of the app if you leverage the latest threat intelligence fromThreatStream. To receive threat intelligence from ThreatStream, youmust create an accounton Anomali Reports. You can create an Anomali Reports account from the App Setup page of yourAnomali Anomali Reports App.

l Ensure that your firewall is configured to allow communication with https://reports-api.anomali.com/api/v1/ and https://reports.anomali.com on TCP port 443.


Downloading and Installing Anomali ReportsApp.Follow these steps to download and install the Anomali Reports App:

1. Download the Anomali Reports App from Splunkbase to your Splunk server.

2. Click Apps in the upper left corner.

3. SelectManage Apps from the drop-downmenu.

4. Click Install app from file.

5. Click Choose File and browse to the installation file.

6. Click Upload to start the installation, as shown in the example figure below.

7. Restart the Splunk server.

Setting Up the Anomali Reports AppAfter installing the Anomali Reports App, you need to configure the following settings to complete itssetup.


To set up the Anomali Reports App:

1. Review the settings on the Setup page.

2. Either accept the default values or change them to suit your needs, as described in "Setup Page"below.

3. Click Save to finish configuring this setting.

Setup PageThe following is the default setup page:

Account Information

Youmust have an account on the Anomali Reports portal to download the latest threat Bulletins.

If you already have an account on Anomali Reports, enter your User Name and API Key in theAnomali Reports Profile Information section. To retrieve your API key for Anomali Reports, log in to theAnomali Reports portal at: https://reports.anomali.com. Retrieve your API key from the ProfileSettings page, as shown in the following figure.

Quick Start GuideChapter 2: Installing the Anomali Reports App


If you do not have an account on Anomali Reports, check "I do not have an account on AnomaliReports", as shown in the following figure. Doing so, prompts you to enter profile information to createan account for you. After you click Save at the bottom of the Setup page, an account is created for youon the Anomali Reports portal and the User Name and API Key fields are automatically populated withthe information pertinent to your user account. You will receive a confirmation email from AnomaliReports upon successful account creation.



Proxy Settings

If your Splunk server needs to use a proxy server to connect to external websites, Click Enable Proxyand enter proxy settings.

Proxy Settings (Optional)

ProxyHost

Hostname or IP address of the proxy server if the system onwhich Anomali ReportsApp is configured needs to use a proxy server to communicate with external websites.

ProxyPort

Port on which proxy server listens for connections.

ProxyUsername

User name that Anomali Reports App should use to connect to the proxy server.



ProxyPassword

Password for the user name you entered.

ConfirmPassword

Re-enter the password.

Modifying Source TypesThe Anomali Reports App ships with a large set of predefined source types. However, if you don't seeyour source type listed, you can add it.

To view andmodify the list of predefined source types:

1. Click Settings > Data Models.

2. Locate the ThreatStream Optic model in the list and click it.

The Constraints list shows the currently configured source types.

3. If you want to add a new source type, edit the Constraints list.

Rerunning Anomali Reports App SetupIf you need to rerun the setup for your Anomali Reports App, click Help > Rerun Setup in the topmenuof the app.

Uninstalling Anomali Reports AppTo uninstall any version of the Anomali Reports App:

1. Delete the anomali_reports folder from the following directories:

$SPLUNK_HOME/etc/apps

$SPLUNK_HOME/etc/users/admin

$SPLUNK_HOME/etc/users/splunk-system-user

2. Restart your Splunk instance.



Chapter 3: Using the Anomali ReportsApp

This chapter describes how to use the Anomali Reports App and how its various components work.

Using the Anomali Reports App— In a Nutshell 13

Bulletins 16

Triaging an Event 17

Registering for ThreatStream Intelligence 19

Using the Anomali Reports App — In aNutshellOnce you have installed and configured the Anomali Reports App your event log summaries in Splunkare uploaded to ThreatStream andmatched against Anomali's vast database of threat intelligence.Additionally, threat intelligence is downloaded to it in the form of Bulletins. Bulletins are documents thatcontain information about latest indicators, breaches, and known threats on ThreatStream.


The latest Bulletin is displayed under the Overview tab. The number of indicators of compromise(IOCs) in each bulletin are stated at the top of each Bulletin. For example, the above Bulletin has 260associated IOCs. The top Tags, Threat Types, and IOC types charts give you a visual understandingof the types of intelligence contained in this Bulletin. To learnmore about Bulletins, see "Bulletins" onpage 16.

You can run a scan on the last 24 hours of Splunk data against the indicators in any Bulletin by clickingtheScan Now button.

If none of the indicators in the Bulletin match the events on your Splunk, the Scan Summary sectionindicates it with a green check mark. This means none of the indicators contained in the Bulletin wereseen in your network.

However, if a match is found, it is reported in the Scan Summary of the Bulletin, as shown in thisexample.

Quick Start GuideChapter 3: Using the Anomali Reports App


You can drill down to specific events that matched by clicking the "Event Triage" link in the ScanSummary section of the Bulletin. All event matches—from the cloud and against the intelligencedownloaded locally in Bulletins—are reported in amerged view in the Event Triage dashboard.

Note:All events start out in theNew stage. After drilling into the details of the event, you canAcknowledge the event or mark it False Positive (if the event is benign and the indicatorshould not havematched it). When you Acknowledge an event, it stops displaying in theEvent Triage table. However, if you re-run a scan on the Bulletin and this event matches theindicators in the Bulletin, the event will be displayed once again in the Event Triage table.When youmark an indicator False Positive, the indicator is not matched against the eventsany longer, even if you re-run the Bulletins scan.

If you want to further drill down on the event, click on the field of the event you are interested in; forexample, click a value in the Victim column. In the example above, we clicked on 10.12.34.56 to drilldown further.

You can view the details of the event further and decide on a course of action to take corrective actionson the system that was impacted and strengthen your defenses against the indicator.



You can also drill down on an indicator to view its details by clicking the indicator value.

BulletinsBulletins are documents that contain the late-breaking news about breaches, threats, and newlydiscovered indicators. Bulletins provide you a one-stop location to learn about the latest happenings inthe cyber security world. These bulletins are vetted by Anomali Labs to ensure that you are receivingthe highest priority information, in time. The indicators in the bulletin are scanned against your Splunkdata to identify any potential threats in your environment. The Associated IOCs—number of indicatorsof compromise (IOCs) in each Bulletin—are stated at the top of each Bulletin. For example, the Bulletinexample in the beginning of this chapter has 103 associated IOCs.



Generally, Bulletins are published weekly, however, if there is a breaking news in the cyber securityworld, a Breaking News Bulletin is pushed outside of the weekly cadence.

The latest Bulletin is available under the Overview tab, as described in "Using the Anomali Reports App— In a Nutshell" on page 13. In addition, all downloaded Bulletins are stored in the Bulletin library,accessible from the Bulletins menu item of your Anomali Reports App. Every 30minutes, indicators inall of the Bulletins in the Bulletins library arematched against events of last 24 hours on Splunk. If nomatches are found, the Scan Results column displays a green check mark, indicating none of theindicators in the associated Bulletin matched any events on your Splunk. However, if matches arefound, the number of matching events is reported in this column, as shown in the following figure.

Click the green check mark or the orange triangle in the Scan Results column to view the details of thescan. The Scan Summary section displays results from the last scan. If any indicators match theevents, you can click the Event Triage link in the Scan Summary section to view the details of thoseevents in the Event Triage tab. If you want to run the scan on the $NOW-24 hours of data, click theScan Now button at the top of the Bulletin, as shown in the following figure.

Triaging an EventWhen an event matches against indicators from the ThreatStream cloud or locally from a Bulletin, youmay want to take further action on it. For example, youmay want to:



l View details of the event

l Acknowledge it and view its details later

l Mark the indicator False Positive because the indicator is considered benign for your environment

For example, the indicator refers to a domain that you know is safe for your network traffic toconnect to.

To triage a matching event:

1. Click Event Triage from the Scan Summary section of the Scan Report.

The Event Triage tab is displayed with all the events that matched the Bulletin scan.

2. If you want to further drill down on the event, click on the field of the event you are interested in; forexample, click a value in the Victim column.

In the example above, we clicked on 10.12.34.56 to drill down.

3. View the details of the event further by clicking the icon.



4. At this point, go back to the Event Triage page and take the following actions:

n Decide on a course of corrective actions on the system that was impacted and strengthen yourdefenses against the indicator.

n Acknowledge the event after or before taking the previous action OR Mark the event FalsePositive.

Acknowledging the event stops displaying the event in the Event Triage table. However, if youre-run a scan on the Bulletin and this event matches the indicators in the Bulletin, the event willbe displayed once again in the Event Triage table.

Mark an indicator False Positive if the event is benign and the indicator should not havematched it. The indicator is not matched against the events any longer, even if you re-run theBulletin scan.

Registering for ThreatStream IntelligenceThreat intelligence from ThreatStream is delivered in the form of threat bulletins, as described in"Bulletins" on page 16. To receive threat bulletins, youmust set up your Splunk server as described in"Setup Page" on page 9. Once you have the Setup page configured, your Anomali Reports App willstart receiving threat intelligence from ThreatStream.



Documents

Anomali Reports App (for Splunk) Quick Start Guide · Generally,Bulletinsarepublishedweekly,however,ifthereisabreakingnewsinthecybersecurity world,aBreakingNewsBulletinispushedoutsideoftheweeklycadence