Symantec™ Integrated Cyber Defense Exchange SOC View App and TA for Splunk ... · 2020. 3. 2. · Distributed or Cluster Splunk Deployment Below is the architectural diagram of

Symantec™ Integrated Cyber Defense Exchange SOC View App and TA for Splunk Installation and Configuration Guide

September 2019

SOC View App and TA for Splunk Installation and Configuration Guide 2

Symantec™ Integrated Cyber Defense Exchange SOC View App and TA for Splunk Installation and Configuration Guide

Documentation version: 1.3

Legal Notice

Copyright © 2019 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering, and subject to an applicable end user license agreement with Symantec. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. If you have not obtained a license to use the product from Symantec under an applicable end user license agreement, you do not have authorization to use the product or any product documentation, including this document.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

This Symantec product may contain third party software for which Symantec is required to provide attribution to the third par ty (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses.

Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation

350 Ellis Street

Mountain View, CA 94043

https://www.symantec.com

https://www.symantec.com/

https://www.symantec.com/


Contents I. Introduction ................................................................................................................. 5

II. Installing and Configuring the SOC View App and TA for Splunk .......................... 6

Standalone Splunk Deployment ......................................................................................... 6

About the Installation ........................................................................................................... 6

Configuring the SOC View App and TA for Splunk ............................................................. 7

Distributed or Cluster Splunk Deployment ........................................................................ 12

Indexer Installation and Configuration .............................................................................. 13

Heavy Forwarder Installation and Configuration ............................................................... 13

SH Installation and Configuration ...................................................................................... 17

III. Configuring the Forwarder in ICDx ......................................................................... 19

IV. Uninstalling the SOC View App and TA for Splunk ............................................... 21

Disabling the App and TA ................................................................................................. 21

Uninstalling the App and TA ............................................................................................. 22

Uninstalling from a Standalone Environment .................................................................... 22

Uninstalling from a Cluster or Distributed Environment .................................................... 22

V. Dashboard Panels ..................................................................................................... 23

Overview Dashboard ........................................................................................................ 23

File Overview Dashboard ................................................................................................. 24

URL Overview Dashboard ................................................................................................ 25

Threat Overview Dashboard ............................................................................................. 26

URL Investigation Dashboard ........................................................................................... 27

File Investigation Dashboard ............................................................................................ 27

Endpoint Investigation Dashboard .................................................................................... 28

Threat Investigation Dashboard........................................................................................ 29

VI. Splunk Knowledge Objects ...................................................................................... 30

Index ................................................................................................................................ 30

Source Types ................................................................................................................... 30

Macros ............................................................................................................................. 31

Data Models ..................................................................................................................... 32

CIM Mapping .................................................................................................................... 34

Lookups ........................................................................................................................... 35


Eventtypes.conf ................................................................................................................ 36

Props.conf and Transforms.conf ....................................................................................... 36

Tags.conf ......................................................................................................................... 36

VII. Troubleshooting ........................................................................................................ 37

Dashboards Are Not Populating ....................................................................................... 37

Data Is Not Coming in to Splunk....................................................................................... 37

New Features of the App Are Not Visible After Upgrading ................................................ 37


Introduction The Symantec SOC View App for Splunk gives Security Operations Analysts a cohesive view of the security posture of their network. This app provides business intelligence into the Symantec Integrated Cyber Defense Exchange (ICDx) data, which is a combination of multiple Symantec products deployed in your network.

The Technology Add-on (TA) helps in mapping and extracting various attributes of ICDx event types. The extractions include mapping to Common Information Model (CIM) data models as well. You can then use the extractions to populate various panels of dashboards in the SOC View App.

This document provides the overall specifications for the SOC View App and TA for Splunk built for Symantec, Inc. It contains details for installing, configuring, and troubleshooting the app and TA.

The SOC View App and TA are supported on the following versions of Splunk:

• 7.0.x • 7.1.x • 7.2.1

The SOC View App and TA are supported with ICDx versions 1.2.x, 1.3.0, and 1.3.1.


Installing and Configuring the SOC View App and TA for Splunk Standalone Splunk Deployment If you have a standalone Splunk deployment, you can install the App and TA on a single Splunk instance, configure the HTTP Events Collector (HEC), and configure the HEC token value in Symantec ICDx to start fetching data from it.

About the Installation This section provides the steps to install App and TA. If you are going to install SOC View App for Splunk, it is mandatory to have the TA installed as well because TA extracts required fields needed for the SOC View.

On a standalone Splunk installation, the App and TA can be installed either:

• Through the Splunk user interface from Manage Apps. • By extracting the compressed file (TA-symantec_soc_view-Sxx-x.x.x-x.tar.gz) into the

$SPLUNK_HOME$/etc/apps folder and restarting Splunk.


Configuring the SOC View App and TA for Splunk HEC Configuration

You can configure the HTTP Events Collector (HEC) in Splunk. To configure the HEC

1. Go to Splunk Setting > Data Inputs.

2. Go to HTTP Event Collector > Global Settings > Edit Global Settings.


3. In the Edit Global Settings window, next to All Tokens, click Enabled.

4. Click Save. 5. Click New Token.

6. In the Name field, type a relevant name.


7. Click Next.

8. In the Source type section, in the Select Source Type drop-down list, select icdx. If you want to use a different source type, see Source Types.


9. Go to the Index section, and then create a new index with the name symc_events. If you want to use a different index, see Index.

10. Click Review.


11. Click Submit. 12. Copy the value of token.

App Configuration

Next you must enable the Data Model acceleration.

To enable Splunk Data Models

1. Through the Splunk user interface from Manage Apps. 2. By extracting the compressed file (TA-symantec_soc_view-Sxx-x.x.x-x.tar.gz) into the

$SPLUNK_HOME$/etc/apps folder and restarting Splunk. 3. Go to Splunk Settings > Data Models. 4. Edit the Symantec ICDx data model. 5. Click Edit Acceleration. 6. Check Accelerate. 7. In the Summary Range section, select 3 months. 8. Click Save.


Distributed or Cluster Splunk Deployment Below is the architectural diagram of distributed environment details:

If you are deploying Symantec SOC View App for Splunk on a distributed setup, the following are the changes needed on each type of node:

Splunk Indexer Cluster

• Install only TA on all of the indexers. • Need to create an index that is used in HEC.

Splunk Heavy Forwarder

• Install only TA on the forwarder. • Configure the HEC Collector.

Splunk Search-Head Cluster

• Install SOC View App for Splunk and TA Symantec SOC View. • Enable Data Model acceleration.


Indexer Installation and Configuration Installation:

Install only TA on all of the indexers.

Configuration:

Create an index called symc_events. If you want to use a different index, see Index.

Heavy Forwarder Installation and Configuration Installation:

Install TA on the forwarder.

Configuration:

HEC Configuration To configure the HEC

1. Go to Splunk Setting > Data Inputs.


2. Go to HTTP Event Collector > Global Settings > Edit Global Settings.

3. In the Edit Global Settings window, next to All Tokens, click Enabled.

4. Click Save.


5. Click New Token.

6. In the Name field, type a relevant name. 7. Click Next.


8. In the Source type section, in the Select Source Type drop-down list, select icdx. If you want to use a different source type, see Source Types.

9. Go to the Index section, and then create a new index with the name symc_events. If you want to use a different index, see Index.

10. Click Review.


11. Click Submit.

12. Copy the value of token.

SH Installation and Configuration Installation:

You need to install the App and TA both on SHs.

You can install the App and TA either:

• Through the Splunk user interface from Manage Apps. • By extracting the compressed file (TA-symantec_soc_view-Sxx-x.x.x-x.tar.gz) into the

$SPLUNK_HOME$/etc/apps folder and restarting Splunk.


You should install the App and TA through the deployer if you use SH clustering.

Configuration: To configure SH

1. Enable Data Model acceleration and rebuild the data model. 2. The following additional step is required to make sure that macro files are distributed:

• Single SH in distributed environment: • Create a file named distsearch.conf in $SPLUNK_HOME/etc/apps/ TA- symantec_soc_view /default and restart SH.

The definition of the file is as follows: [replicationSettings:refineConf] replicate.macros = true [replicationWhitelist] allConf = apps/TA-symantec_soc_view/default/*.conf

• SH cluster in distributed environment:

• Create a file named distsearch.conf in $SPLUNK_HOME/etc/shcluster/apps/ TA-symantec_soc_view

/default and push the bundle through the SH deployer on all SHs in the cluster.

The definition of the file is as follows:

[replicationSettings:refineConf] replicate.macros = true [replicationWhitelist] allConf = apps/TA-symantec_soc_view/default/*.conf


Configuring the Forwarder in ICDx Configure the forwarder in ICDx.

To configure the forwarder in ICDx

1. In ICDx, go to Configuration > Forwarder. 2. Add a Splunk HEC Forwarder. 3. Enter Name, Host, and Port.

• In a standalone deployment, the host is the IP address of the standalone machine. • In a cluster or distributed environment, the host is the IP address of the Heavy Forwarder

machine. 4. Enter the Token Value that is created in Splunk HEC.

5. Click Show Advanced. If you are using the recommended App configuration, next to Index, type

symc_events and next to Source Type, type icdx. If you used a different index and source type while creating HEC, type those settings instead.


NOTE: If you need to use a custom index needs, see Create custom index and select the custom index while creating the HEC token.


Uninstalling the SOC View App and TA for Splunk The SOC View App and TA can be either disabled or completely uninstalled based on the requirement.

Disabling the App and TA Follow these instructions.

To disable the App and TA

1. To disable the App and TA, you must be logged into Splunk as an Administrator. 2. Click the App name in the title bar, and then click Manage Apps.

3. In the search box, type the name of the app, and then click Search. 4. In the Status column, next to both the App and TA, click Disable.


Uninstalling the App and TA Follow these instructions based on your environment.

Uninstalling from a Standalone Environment Follow these instructions.

To uninstall from a standalone environment

1. Disable the App and TA from Splunk user interface as detailed in the Disabling the App and TA. 2. Log in to the Splunk machine from the backend and delete the App and TA folders. The app and

its directory are typically located in $SPLUNK_HOME/etc/apps/<appname>. 3. Verify that no local configuration files related to SOC View App/TA are available in the

$SPLUNK_HOME/etc/system and $SPLUNK_HOME/etc/users folders. If the local folder is present, remove it as well.

4. Restart Splunk.

Uninstalling from a Cluster or Distributed Environment In a cluster or distributed environment, the SOC View App is installed on all the Search Heads and the SOC View TA is installed both on Search Heads and Forwarder as mentioned in Installing and Configuring the SOC View App and TA for Splunk.

The steps to uninstall the App and TA are the same as defined in Uninstalling from a Standalone Environment.

To perform any installation or uninstallation step on all the search nodes of a distributed environment, use a deployer manager.

From the deployer machine, go to $SPLUNK_HOME$/etc/shcluster/apps and remove the App and TA folders and execute cluster bundle command. For more details refer https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/PropagateSHCconfigurationchanges

https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/PropagateSHCconfigurationchanges


Dashboard Panels Overview Dashboard


File Overview Dashboard


URL Overview Dashboard


Threat Overview Dashboard


URL Investigation Dashboard

File Investigation Dashboard


Endpoint Investigation Dashboard


Threat Investigation Dashboard


Splunk Knowledge Objects Index The SOC View App for Splunk can populate the panels based on the index that is defined while indexing data into the Splunk. The data gets indexed into the index, which was selected while creating the HEC on Splunk. All the panels are populated by the macro that has the predefined index called symc_events in its definition. It is recommended that you use the same index while configuring the HEC token. Also, you must create the index before starting the data collection.

If you want to use a different index than symc_events, you must make changes in following places:

1. Use the new index name while creating the HEC or updating the HEC token if it already exists.

2. Copy the stanza named icdx_get_index from the macros.conf file from the default to the local directory in the App and update the index value accordingly.

3. Change the search constraint of the App data model and replace the existing index name with a new index name. Rebuild the data model afterwards.

NOTE: Although it is recommended that you have same index name in the HEC and Splunk forwarder in ICDx, you can have two different indexes in both places. In that case, the ICDx-defined index gets priority and data gets indexed in that particular index in Splunk.

Source Types Source types are the default Splunk fields that categorize and filter the indexed data to narrow down the search results. All the panels are populated by the macro that has the predefined sourcetype called icdx. All field extractions in the props.conf and eventtypes.conf files are also written based on icdx as the sourcetype. It is recommended that you use the same source type while configuring the HEC token.

If you want to use a different source type than the default, you must make changes in the following places:

1. Use the new source type name while creating the HEC or updating the HEC token if it already exists.

2. Copy the stanza named icdx_get_index from the macros.conf file from the default to the local directory in the App and update the index value accordingly.

3. Change the search constraint of App data model and replace the existing source type name with new source type name. Rebuild the data model afterwards.


4. Change the sourcetype stanza in the props.conf file and restart Splunk.

NOTE: Although it is recommended that you have same source type in the HEC and Splunk forwarder in ICDx, you can have two different source type in both places. In that case, the ICDx-defined source type gets priority and data gets indexed in that particular source type in Splunk.

Macros Three macros are used in TA and App:

• icdx_get_index: This is implemented in TA.

This macro contains the sourcetype and index of ICDx and it is used in various dashboard queries and in eventtypes for CIM Mapping.

• summaries_only: This is implemented in the App. This macro is used in savedsearch 'ICDx_SOC_View_get_product_name' to get different product names from where event data is being ingested and the related lookup file gets updated.

• search_by_addinfo: This is implemented in the App. This macro is used in dashboard queries where multi-select filters are used to search based on product names.

All the visualizations in the SOC View App for Splunk are referred by an icdx_get_index macro of TA, which helps the App identify the index in which data is getting indexed.

• The macros defined in the context of the App are related to savedsearches. • The macros defined under TA are used for eventtypes and dashboard queries.

By default, the index is symc_events and the sourcetype is icdx. If you changed the default index and sourcetype values, you must make the same changes in the macro. Go to Settings > Advanced Search > Search Macros to change this.


Data Models The App has a data model called Symantec ICDx. In this data model, the child nodes inherit all the fields from their parents and also have their own extracted fields. As long as various Symantec products are normalizing their data to ICDx schema, the Splunk data model picks up the data model and populates the dashboards accordingly. Therefore, all dashboards are built off of data model queries. In this way, the App does not need constant updating if more product support gets added to ICDx.

This integration is almost agnostic to whichever products ICDx supports. The App will include more use cases and dashboards for monitoring purposes as more internal and external user feedback becomes available.

Root Parent Children Query

Symantec ICDx index=“symc_events” AND sourcetype=“icdx”

Security index=“symc_events” AND sourcetype=“icdx” category_id =1

Network index=“symc_events” AND sourcetype=“icdx” category_id =1

icdx_type_id=8037 OR icdx_type_id=8040 OR icdx_type_id=8050

File index=“symc_events” AND sourcetype=“icdx” category_id =1

icdx_type_id=8031 OR icdx_type_id=8046 OR icdx_type_id=8028 OR icdx_type_id=8021 OR icdx_type_id=8034

Email index=“symc_events” AND sourcetype=“icdx” category_id =1

icdx_type_id=8035 OR icdx_type_id=8036

License index=“symc_events” AND sourcetype=“icdx” category_id = 2

Application Activity

index=“symc_events” AND sourcetype=“icdx” category_id =3

Audit index=“symc_events” AND sourcetype=“icdx” category_id = 4

System Activity index=“symc_events” AND sourcetype=“icdx” category_id = 5


Network index=“symc_events” AND sourcetype=“icdx” category_id = 5

icdx_type_id=8007 OR icdx_type_id=8010 OR icdx_type_id=8014

File index=“symc_events” AND sourcetype=“icdx” category_id = 5 icdx_type_id=8012 OR icdx_type_id=8004 OR icdx_type_id=8003 OR icdx_type_id=8002

Diagnostic index=“symc_events” AND sourcetype=“icdx” category_id = 6

Evidence of Compromise (EoC)

index=“symc_events” AND sourcetype=“icdx”

category_id = 7

Network index=“symc_events” AND sourcetype=“icdx”

category_id = 7

icdx_type_id=8087 OR icdx_type_id=8107

File index=“symc_events” AND sourcetype=“icdx”

category_id = 7

icdx_type_id=8084 OR icdx_type_id=8083 OR icdx_type_id=8082 OR icdx_type_id=8104 OR icdx_type_id=8103 OR icdx_type_id=8102

Information Protection

index="symc_events" AND sourcetype="icdx"

icdx_category_id=8

Email index="symc_events" AND sourcetype="icdx"

icdx_category_id=8

icdx_type_id=9002

File index="symc_events" AND sourcetype="icdx"

icdx_category_id=8

icdx_type_id=9001


CIM Mapping Note the following about CIM mapping:

1. The TA for the SOC View App maps with data models of CIM on extracted fields. 2. Every category of ICDx has different event types that map to one or more data model of CIM. 3. The CIM Mapping is useful when using the App and TA on Splunk Enterprise Security (ES).

Category ID ICDx Category Name Data Models of CIM mapped with ICDx Categories

1 Security • Intrusion Detection • Malware • Endpoint (Process, Registry, File Detection) • Email • Network Traffic • Network Sessions • Alert

2 License • Alert

3 Application Activity • Updates • Certificates

4 Audit • Change

5 System Activity • Intrusion Detection • Endpoint (Process, Registry, File Detection) • Email • Network Traffic • Network Sessions

6 Diagnostic • Performance (CPU, Memory, Network)

7 Evidence of Compromise

• Endpoint (Process, Registry, File Detection) • Network Sessions

8 Information Protection • Data Loss Prevention • Email


Lookups The TA uses a number of static lookups for search. The purpose of these lookups is to show human- readable values in the dashboards rather than showing various IDs coming from ICDx schema. Lookups include the following:

• id_lookup

• This lookup is used to correlate the type_id and the id (icdx_disposition_id) fields and creates a new field called action that is used in the Dashboard Panel > File Count By Action.

• This correlation is done using the Symantec ICDx documentation. • Example: If the type id is 8035 and the id is 1, the Action derived from this is Blocked. This is

according to the documentation. • severity_lookup

• This lookup derives a field called severity_type, which is the literal meaning of the severity_id that is coming in the event.

• Example: If the severity_id is 1, the severity_type is derived as Informational. • type_id_lookup

• This lookup derives a field called Event Type, which is the literal meaning for type_id that is coming in the event.

• Example: If the type_id is 8040, the Event Type is derived as Host Network Detection. • category_lookup

• This lookup derives a field called Category, which is the literal meaning of the category_id that is coming in the event.

• Example: If the category_id is 1, the Category is derived as Security. • threat_type_lookup

• This lookup derives a field called Threat Category, which is the literal meaning of the threat.type_id that is coming in the event.

• Example: If the threat.type_id is 1, the Threat Category is derived as Malware. • risk_id_lookup

• This lookup derives a field called Risk Type, which is the literal meaning of the risk_id that is coming in the event.

• Example: If the risk_id is 100, the Risk Type is derived as Bad. • file_typeid_lookup

• This lookup derives a field called File Type Object, which is the literal meaning of the file.type_id that is coming in the event.

• Example: If the file.type_id is 1, the File Type Object is derived as File. • file_rep_discovered_band_lookup

• This lookup derives a field called Reputation Discovered Band, which is the literal meaning of the file.rep_discovered_band that is coming in the event.

• Example: If the file.rep_discovered_band is 0, the Reputation Discovered Band is derived as Unknown.

• file_rep_prevalence_band_lookup • This lookup derives a field called Reputation Prevalence Band, which is the literal meaning

of the file.rep_prevalence_band that is coming in the event.


• Example: If the file.rep_prevalence_band is 0, the Reputation Prevalence Band is derived as No Users.

• url_category_lookup • This lookup derives a field called URL Category, which is the literal meaning of the

url.categories that is coming in the event. • Example: If the url.categories is 20, the URL Category is derived as Entertainment.

Eventtypes.conf To exclusively retrieve a specific type of event (based on the constraints added in search query), eventtype searches are defined. Eventtypes that are specific to each datamodel that is being mapped for ICDx categories are defined in the eventtypes.conf file.

All the eventtypes defined include the ìcdx_get_index` macro. These eventtypes are used in drill-down queries.

Props.conf and Transforms.conf Attributes that are extracted from ICDx are renamed to map them to fields available under CIM data model. This renaming is termed as field aliasing. Fieldalias for all the extracted fields are provided in the props.conf file.

For fields having conflicts or one-to-many mapping, eval functions are defined that map field as per the given icdx_type_id.

Tags.conf For every eventtype, specific tags that are applicable as per the types of events found are defined in the tags.conf file. Tags are keywords that you can include in search queries to retrieve specific event data. For example, if Tag=Malware, all the events with the Malware tag are provided as output.


Troubleshooting Dashboards Are Not Populating After you complete the installation of the App, all the dashboards start populating data. If you don’t see data in the dashboards, use following steps for troubleshooting:

1. Confirm that you have modified macro ìcdx_get_index` with the correct index and sourcetype

that was used while creating the HEC. 2. The index should be created. 3. Check the following query to verify that data is getting indexed into Splunk search:

ìcdx_get_index` | stats count by sourcetype 4. Make sure that datamodel is accelerated in the App.

Data Is Not Coming in to Splunk If data is not coming in to Splunk, make sure that the ICDx forwarder for Splunk is configured properly. It needs to have the same HEC token that is created on the Splunk side.

New Features of the App Are Not Visible After Upgrading Occasionally, some features of the latest version of the App might not be visible in Splunk immediately after upgrading.

1. A possible reason for this is the creation of a local folder in

$SPLUNK_HOME/etc/apps/Symantec_soc_app/. Verify the installation of the SOC View App from the backend for the presence of this local folder in addition to the default folder for the SOC View App. This local folder is created when there are changes made directly in the App by clicking the Edit option in Splunk.

These changes override the changes that are included in the default folder. As a result, the panels might not get populated or the new features may not be visible.


The contents of the local folder include user interface changes and files related to accelerated data. Make sure that you remove only the files that contain changes to the source code of panels. Such files can be found in the /local/data/UI/views folder.

2. The next step is to bump the Splunk instance using the following command:

http://<SPLUNK_HOST>/en-US/_bump

Documents

Symantec™ Integrated Cyber Defense Exchange SOC View App and TA for Splunk ... · 2020. 3. 2. · Distributed or Cluster Splunk Deployment Below is the architectural diagram of