![]() Enter your API key and press Enter to continue.įind your API key under the account details, after logging in to VirusTotal. If you accept the terms of usage, press Y. The script prompts you for the following: opt/caspida/bin/utils/virustotal_scan/virustotal_setup.sh If you are using a private key, exclude your regular usage (non-UBA related searches) from this limit. Identify the maximum number of queries you can run using your API key.Complete the registration form and click Sign Up. If you need to obtain a key, register in the VirusTotal community. Make sure you have an existing VirusTotal API key.Ensure that Splunk UBA node 1 can connect to and.Verify the following before running the VirusTotal script: You can configure the script to run regularly after that. The first time the script is run, it checks data from the past 180 days. Any matches are added to the VirusTotal watch list, which can be viewed in Splunk UBA in Anomalies Table > Add Filter > User Watchlists. The VirusTotal script in Splunk UBA compares existing external IP addresses and domains in Splunk UBA against VirusTotal. See Filter events analyzed by Splunk UBA for anomalies.Configure the VirusTotal script to see VirusTotal anomalies in Splunk UBA You can apply filters to include or exclude devices or users. You can create an event filter, which is useful for limiting or targeting the data you are analyzing.See Add data sources to Splunk UBA in test mode. You can add data from Splunk software to Splunk UBA in test mode, where Splunk UBA analyzes a sample set of data from the data source.See Add file-based data sources to Splunk UBA. You can add data from a file to test on a small scale.There are several ways to use a small dataset to get started in Splunk UBA: This is useful for verifying that the data coming into Splunk UBA is properly configured and mapped so that you see the desired anomalies and threats. Get started with a smaller set of data before working in a full production environment. Splunk UBA provides support for English language logs only. Modify the filters as needed as new data sources are added. For example, an event filter that excludes source_IP data from one data source will affect the new data source. Review the existing event filters to check for settings that negatively affect future data uploads. The supported data source types that can be added to Splunk UBA are listed on this page.Īfter you determine which data sources you can add, make sure that existing event filters do not affect the new data sources. Review the data source types on the Data Source Type page.In Splunk UBA, select Manage > Data Sources.Perform the following tasks to view the data source types supported by Splunk UBA: View supported data source types and prepare to add data sources to Splunk UBAīefore you add new data sources, review the types of data that you want to add and determine which ones Splunk UBA supports. See Verify that you successfully added the data source. You can get started with a smaller dataset before ingesting all of your data. See Use connectors to add data from the Splunk platform to Splunk UBA. Get data from the Splunk platform into Splunk UBA.See Use allow and deny lists to generate or suppress anomalies. Configure allow lists and deny lists in Splunk UBA for domains, IP addresses, or users.Get assets and identity data into Splunk UBA.See View supported data source types and prepare to add data sources to Splunk UBA. (Optional) See which data source types are supported in Splunk UBA.See Requirements for connecting to and getting data from the Splunk platform. Verify you have the correct permissions.Verify network access to Google Maps, VirusTotal, WHOIS, MaxMind external services.Ĭomplete the following steps to properly get data into Splunk UBA.Competitive domains are set up in the /etc/caspida/local/conf/competitorDomains.txt file.Internal IPs are set up /etc/caspida/local/conf/etl/configuration/EntityValidations.json file.Email is set up to send alerts, changes made for the geolocation on the UI, internal domains /etc/caspida/local/conf/uba-site.properties file.Admin users are correctly identified and normalized.The script checks the status of the following configurations:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |