Skip to content

Configuration

Jump to bottom
Koji Yamada edited this page Sep 24, 2020 · 17 revisions

AlienVault OTX Adapter

MISP Adapter

Slack Integration

Splunk Integration

User Management

TAXII Client

AlienVault OTX Adapter

This configuration enables RS to collect CTI from AlienVault OTX and automatically create new posts in SNS.

OTX_adapter

  1. Create user accounts at AlienVault OTX and get API KEY in advance.

  2. Click Adapter -> "AlienVault OTX" in RS menu, then

    1. Input your API KEY.
    2. Select the Community as "AlienVault OTX".
    3. Select the Uploader as "alienvaultotx".
    4. Click the "Modify" button. Input the time to "From this timedate" field (We recommend 1 week ago), then click "Start".
    5. Click "List" in RS menu and confirm that Seamless - Threat Intelligence Platform receives some STIX from "AlienVault OTX". New posts also appear in SNS created by "alienvault_otx" user.
    6. (optional) For automatic/scheduled operation, click "Detail" and create more configuration.

MISP-Adapter

Import from MISP

This configuration enables S-TIP to collect CTI from existing MISP instance and automatically create new posts in S-TIP SNS.

misp_adapter

  1. Create user accounts on your MISP instance and get API KEY (Authkey) in advance.

  2. Click Adapter -> "MISP" in RS menu and

    1. Input the URL of MISP. (e.g. http://10.0.1.2/) http://[your MISP url]/
    2. Input your API KEY.
    3. Input Identity of MISP instance (e.g. my_MISP)
    4. Select the Community as "MISP".
    5. Select the Uploader as "misp". Then click the "Modify" button.
    6. Each MISP event has a "Published" field. If you want to import only published events, check "Published Only".
    7. Then click the "Modify" button.
    8. Input the time to "Start this date" and "End this date" field, then click "Start".

    (Tips) If you leave the space blank, RS imports all MISP events.

  3. Then click "List" in RS menu and confirm that S-TIP receives some STIX from "MISP". New posts also appear in SNS by "misp" user. For more MISP information, see the MISP Automation API.

  4. (optional) For automatic/scheduled operation, click "Detail" and create more configuration.

S-TIP currently collects CTI Elements from following MISP attribute categories.

  • md5
  • sha1
  • sha256
  • sha512
  • url
  • hostname
  • domain
  • ip-dst
  • email-src
  • email-subject

Export to MISP

The configuration above also enables S-TIP creating new Events on MISP.

In S-TIP SNS, click "MISP" in a post then a new Event will be created on your MISP instance.

Slack Integration

If you already use Slack, S-TIP works with your Slack channel. When S-TIP/Slack integration is enabled, S-TIP sends a message on your Slack channel when you create a new post on S-TIP and vice versa.

Please note that S-TIP/Slack Integration is currently (as of Sep. 2020) a classic Slack app. We plan to adopt the new Slack architecture in the future. (c.f. Quickstart: differences between old and new Slack apps )

Requirement

Install slackclient>=2.8.2 pip module or update if you are using older version.

1. Slack Settings

1-1. Create a New Classic App

Visit https://api.slack.com/authentication/migration#classic and click Create a classic Slack App.

Enter the App Name and select your Slack Workspace.

1-2. Slack Bot Settings

Pull down Add features and functionality and click Permissions. Click Add an OAuth Scope and add the following permissions:

  • bot
  • chat:write:bot
  • chat:write:user

Then select App Home in Features, on the left side menu. Add Bot user settings from Add Legacy Bot User.

  • Display Name
  • Default User Name

This name appears in the timeline of Slack.

1-3. Install to workspace

Click Install your app to your workspace in Basic Information in the Settings menu. Then select Add features and functionality > Permissions.

Take a note of the Bot User OAuth Access Token from Add features and functionality (It starts with "xoxb-"). S-TIP uses this token in the following step.

1-4. Deploy a Slack app on your Slack channel

Move to the Slack workspace, then open the channel that you want to integrate, click the "Show Channel details" icon. Then pull down "Apps" and add an app that you have created above.

2. S-TIP Settings

  • Log in to S-TIP SNS with admin user.
  • Click Management -> SNS Config in the menu. Scroll down and input your Bot User OAuth Token on the Slack Bot Token field.
  • Input channel name on Slack Bot Channel that you want to integrate with S-TIP. The private channel is also acceptable. Save the changes.
  • Scroll up to the top of the page and click the Reboot Slack Thread button.

3. Running

3-1. S-TIP to Slack

  • When you create a new post on S-TIP, a new message appears to your Slack channel.

3-2. Slack to S-TIP

  • When you create a new message on Slack, a new post appears to your S-TIP SNS timeline.

Modify S-TIP Setting

  • When you modify "Bot User OAuth Token", it requires "Reboot Slack Thread".
  • Only Modifying "Slack Bot Channel" doesn't require "Reboot Slack Thread".

Splunk Integration

If you already use Splunk, check the logs with CTI in your organization.

  1. Splunk Setting

    Check the REST API access on your Splunk instance is enabled.

    https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTprolog

    Then enable SSL (HTTPS) in Splunk Web in "Server Settings >> General Settings".

  2. S-TIP SNS Setting

    1. Login to SNS and pull-down menu near the username, then click "Account Settings".

    2. Fill the form as follows:

    • Splunk Host

      your Splunk instance host. (e.g. 192.168.1.2)

    • Splunk API Port

      The default port is 8089.

    • Splunk Web Port

      The default port is 8000.

    • Splunk Username/Password

      Username/Password for your Splunk instance (e.g. admin).

    • Splunk Scheme

      Default Scheme is https.

    • Splunk Query

      Input the Splunk search query.

      Full search:

      search %s

      or specify sourcetypes and fields as follows:

      search sourcetype="squid:access" OR sourcetype="isc:bind:query" | search dest_ip=%s OR query=%s

  3. Check your logs with CTI (Sighting)

    Open the post in SNS and click the "Sighting" button.

    "Splunk Sighting Results" will open and show the search result of Indicators.

    Check more detail in Splunk Web UI by clicking the "Check" button.

User Management

Create New User

  1. Login to RS and Click Configuration -> Users in the menu.

RS_CreateNewUser

  1. Fill username and set a password. Screen Name is a display name in UI (optional).

  2. Then click the "Create" button.

User Account Settings

  1. Login to SNS and click the pull-down button near your username (on the right of "admin" in the image below).

    Then click "Account Settings".

SNS Account Setting

  1. Set your profile, picture, and password.

Built-in User Accounts

The following users are system built-in accounts.

Note: These user's passwords are automatically set the same as admin's.

  • admin

    A user with administrative privileges on S-TIP.

  • anonymous

    When a user creates a new post with "anonymous", the post owner will be this user.

  • gv_concierge

    Chatbot. When a user creates a new post, gv_concierge searches related CTI in S-TIP and comments to the post.

  • alienvaultotx, misp, slack

    These users are prepared for integration with the third-party platform.

  • na (Not Available)

    A STIX file is not combined with any S-TIP user for some reason, this user will be used.

Clone this wiki locally