Configuring TISC add-on in Splunk

  • Release version: Washingtondc
  • Updated January 13, 2025
  • 4 minutes to read

    • Follow this below procedure to configure the application.

    Before you begin

    Role required: Splunk admin

    About this task

    The below procedure describes the configuration of TISC add-on in Splunk.

    Procedure

    1. Search for Threat Intelligence Security Center for Splunk app from the left navigation.
    2. Click on Set up under the Actions column.
      The Configuration page is displayed, and you can set up your ServiceNow TISC account.
    3. Select Add.
    4. On the form, fill in the fields.
      Field Description
      Add Accounts
      Name A unique name for the account.
      User Name Provide your ServiceNow account user name. You can use the same user name that is used for the users which is created during the role creation sn_sec_tisc.api_obs_read_access in the above step.
      Password Provide ServiceNow account password.
      Instance URL Provide the ServiceNow instance URL address.
    5. Click Add.
      The ServiceNow instance account is added to the Splunk.
    6. Navigate to the Inputs page to create collections manage your data inputs for your ServiceNow account.
    7. Click Create New Input.
      The Add Input dialogue box is displayed for you to add the inputs to your ServiceNow account.

      Once the input set is defined, the application sends the information to the TISC instance to retrieve a specific number of observables that meet the criteria.

    8. Fill in the input details, as appropriate.
      Field Description
      Name A unique name for your input. For example, malicious IP list.
      Account Provide your ServiceNow account user name. You can use the same user name that is used for the users that is created with the role sn_sec_tisc.api_obs_read_access in the above step.
      Interval Set time interval in seconds to retrieve the data from TISC.
      Expiry Period(in days) Option to set the expiry period in days.
      Note:
      The sample expiration is set to 30 days. For example,when data is pulled on a specific date, a set of 10,000 records may be retrieved. These records will be stored in the KV (Key-Value) store within Splunk. Starting from the ingested date, the records will be retained for 30 days. On the 31st day, they will be automatically deleted from the KV store.
      Never Expire Choose this option if you don’t wish to expire the records ingested.
      Filters Define the conditions based on which data should be imported will be filtered.

      To set the filter conditions, you can define the criteria based on the fields such as threat score, confidence level, and type.

      For simple filter conditions, you can use this filtering option. However, if the filter conditions are more complex and for any advanced filtering then you can choose to add JSON filters.
      • The allowed integer operators are:

        "=", "!=", ">", "<", ">=", "<="

      • The allowed string operators are:

        "=", "!=", "IN"

      Below is an example of a simple filter:

      {Sample filter format: Allowed Tokens: "threat_score", "confidence", "reputation", "type", "value". Allowed Integer Operators: "=", "!=", ">", "<", ">=", "<=". Allowed String Operators: "=", "!=", "IN". Example: reputation IN ("clean","suspicious","malicious") AND threat_score > 90 AND confidence > 90 AND type = "ip_v4_address"}
      JSON JSON based filters allows you to define more intricate conditions. The status of the JSON object should be active.

      Select JSON filters check box to switch to advanced filters where a JSON can be used to apply filter condition.

      Sample advanced filter:

      {"boolean_operator":"AND","filters":[{"field_name":"reputation","operator":"IN","field_value":"clean,suspicious,malicious"},{"field_name":"threat_score","operator":">","field_value":"90"},{"field_name":"confidence","operator":">","field_value":"90"},{"field_name":"type","operator":"=","field_value":"ip_v4_address"}]}
      Note:
      Accounts are active by default, but inputs are inactive by default, you must activate them to start importing the data. For possible filters refer to Observable_filters section in Adds observable source records to the Threat Intelligence Security Center (TISC) application.
    9. Click Add to add the inputs.
    10. Click Clone or copy to copy and create a new account based on the existing account.
      Make sure that the input is deactivated before cloning to avoid creating duplicate entries when importing data using the same criteria.
    11. Once the data is pulled in, the following information will be retrieved and stored in the KV store within Splunk along with the records pulled from TISC:
      Field Description
      Threat Score The score indicating the level of threat associated with a record.
      Confidence Indicates the confidence level associated with the accuracy of the threat score.
      Expiry Period The duration for which the record is valid in the application before it expires.
      Threat Level Indicates the severity level of the threat.
      Reputation Indicates the reputation of the entity involved.
      Updated By Provides the information on who has last updated the record.
      Updated Time Indicates the time stamp when the record was last updated.
      Created Time Indicates the record creation time.
      Days_till_expiry Indicates the number of days after which the record will be deleted from the KV store.
      Source_reported_score The reported source score from TISC.
      Sys_id Sys ID of the record which is coming through TISC.
      Threat Severity Indicates the threat severity of the observable.
      Value Value of the record. For example, IP, hash and so on.

      These fields along with any others defined by your criteria will be available in Splunk and can be viewed, searched, and analyzed through the search tab.