Go to main website

Splunk

Introduction

BforeAI PreCrime Splunk App is useful to monitor and ingest the domain details with their activity.

Compatibility Matrix

Splunk Enterprise Version

9.2.x , 9.1.x , 9.0.x

Supported OS Version

Independent

Browser

Independent

Python Version

3.x

BforeAI PreCrime - Splunk App

You can download the BforeAi PreCrime - Splunk App from:

https://classic.splunkbase.splunk.com/app/7415/

BforeAI PreCrime credentials

Access and authentication

Time required

Manual steps: 15 minutes

The BforeAI PreCrime - Splunk app is installed in minutes, the configuration requires 5 to 10 minutes,

Automatic steps: 3 hours to 1 day

The index is populated in a few hours and the acceleration takes 20 to 40 minutes (depending on the hardware where Splunk is running) and is ran at a scheduled time (you configure it accordingly)

Installing BforeAI PreCrime - Splunk App

BforeAI PreCrime can be installed through the UI as shown below or extract the zip file directly into the $SPLUNK_HOME/etc/apps/ folder. ● Installation step from UI:

1. Log in to Splunk and navigate to Apps > Manage Apps.

2. Click Install app from the file.

3. Click Choose file and select the App installation file.

4. Click on Upload.

5. Restart Splunk if prompted.

Configuring BforeAI PreCrime - Splunk App

Configure Account

  1. Go to BforeAI PreCrime > Configuration

  2. Click Add from the top right corner.

  3. Add a unique Account Name, API URL, Username and Password.

  4. Click on the Add button.

  5. Once The Account is added. The list of all the added Accounts is visible on the Configurations page.

To update an Account

  1. Go to BforeAI PreCrime > Configuration

  2. Find the account User wants to Edit from the list of configured accounts.

  3. Click on Action > Edit

  4. Update the required parameters in the dialogue box.

  5. Click on Update.

To clone an Account

  1. Go to BforeAI PreCrime > Configuration

  2. Find the account User wants to Clone from the list of configured accounts.

  3. Click on Action > Clone

  4. Add the required parameters in the dialogue box.

  5. Click on save.

To remove an Account

Note: Before removing the Account make sure none of the Input is using the account User wants to remove.

  1. Go to BforeAI PreCrime > Configuration

  2. Find the account User wants to Delete from the list of configured accounts.

  3. Click on Action > Delete.

Proxy page

A user can configure the proxy for BforeAI PreCrime through this page. And supported proxy types are http and socks5.

1. Go to BforeAI PreCrime > Configuration > Proxy.

2. Provide Proxy Type, Host, Port, Username and Password then click on Save button.

To use the proxy, click on enable.

Logging Page

A user can configure the logging level for the BforeAI PreCrime through this page.

1. Go to BforeAI PreCrime > Configuration > Logging.

2. Select the Log Level from the drop-down and Save it.

Inputs Page

Users can manually create Modular Input by following below steps.

  1. Go to BforeAI PreCrime >Inputs.

  2. Click on create new input

  3. And fill all parameters shown in this table.

  4. Click on the save button.

Parameters

Type

Description

Name

Textbox

A name to uniquely identify the input.

Interval

Textbox

Time interval for input in seconds. Default = 86400

Index

Dropdown

The index in which data should be collected. required (can use the default “main” or create a new index already present in the macro named “precrime”.

You can use any other index name that you created, however you should add it in the macro searches

Global Account

Dropdown

Select the BforeAI PreCrime Account for which you want to collect data.

Start Date

Textbox

Enter Start date in YYYY-MM-DD format. EX: 2024-04-01

To Disable an Input

  1. Go to BforeAI PreCrime > Inputs.

  2. Find the input User wants to Disable from the list of inputs.

  3. Click on Status> Enabled.

To Enable an Input

  1. Go to BforeAI PreCrime > Inputs.

  2. Find the input User wants to Enable from the list of inputs.

  3. Click on Status> Disabled

To Edit an Input

  1. Go to BforeAI PreCrime > Inputs

  2. Find the Input User wants to edit from the list of configured inputs.

  3. Click on Action > Edit

  4. Update the required(desired) parameters in the dialogue box.

  5. Click on Update.

To Clone and Delete Input

  1. Perform the same steps as above mentioned:

  2. Go to BforeAI PreCrime > Inputs

  3. Action > Clone/Delete

API Feed

The API Feed is composed by Json information with the keys:

Id: big integer - ID of the domain name

Name: String - Domain name

Created: Datetime - Date of processed analysis for this record

Score: representing the confidence level of maliciousness of a given domain.

{
    "Id": 272806910, 
    "Name": "thelawomanleaders.com", 
    "Created": "2024-07-02T00:02:10", 
    "Score": 1.0
}

  • 0-0.49 Safe domains

  • 0.5 Monitored domains

  • 0.51-0.79 Suspicious domains

  • >= 0.8 Malicious domains

Dashboards

The BforeAI PreCrime app provides Monitoring dashboards.

1) PreCrime Threat Monitoring

Panel Name

Visualization

Description

Malicious Domain

Single Value

This will show count of all the Malicious Domain, meaning domains with a score >= 0.8

Suspicious Domain

Single Value

This will show count of all the Suspicious Domain, meaning domains with a score between 0.51 and 0.79

Monitored Domain

Single Value

This will show count of all the Monitored Domain, meaning domains with a score = 0.5

Safe Domain

Single Value

This will show count of all the Safe Domain, meaning domains with a score <= 0.49

"All" Latest Domain Details

Table

Show all the basic information related to domain

Timechart by Score

Timechart

It will show historical information of score of selected domain

Splunk Knowledge Objects

  1. Macros

  2. You can edit the macro using Settings > Advanced Search > Search macros.

  3. For index name change, update the precrime_index macro.

  4. For data model acceleration use summariesonly macro. If it set to true data will populate from the summary index else it will populate from the local indexes.

  5. Data Model

  6. You can accelerate the data model by clicking Settings > Data Model > precrime > edit.

  7. Update the settings and the cron job according to your needs

Search objects

You can use the Stats and Tstats Splunk search method. Some query example that can be saved as dashboard or alert:

List the malicious domains

search index=precrime24 sourcetype=PreCrime Score>=0.8

Correlate the data with your DNS resolver log:

index="dns_queries" sourcetype="dns_query"
 | rex field="_raw" ".*query: (?<domain>[^\s*]*).*"
 | join domain
  [| search index=precrime24 sourcetype=PreCrime Score>=0.8
    | rename Name as domain ]
 | table domain

Correlate the data with your web proxy log : 

index="proxylogs" sourcetype="proxy_entry"
| rex field="_raw" "Host: (?<domain>[^\s*]*)"
| rex field="_raw" "from client (?<client>[^\s*]*)"
| rex field="_raw" "\[PROXY\] (?<status>[^\s*]*)"
| join domain
[| search index=precrime24 sourcetype=PreCrime Score>=0.8
| rename Name as domain] | table domain,client,status,Score

PreviousMicrosoft SentinelNextRapid7 InsightIDR

Last updated

Was this helpful?