Public Documentation – Limited-disclosure TLP: Green 2017 Leap In Value S.L. All rights reserved.The information provided in this document is the property of Blueliv, and any modification oruse of all or part of the content of this document without the express written consent ofBlueliv is strictly prohibited. Failure to reply to a request for consent shall in no case beunderstood as tacit authorization for the use thereof.Blueliv is a registered trademark of Leap In Value S.L. in the United States and othercountries. All other brand names, product names or trademarks belong to their respectiveowners.2

Public Documentation – Limited-disclosure TLP: GreenContents1. Introduction. 42. Setup . 42.1. Requirements . 42.2. Installation . 52.3. Configuration . 63. Getting started . 73.1. Home . 73.2. Threat Overview . 73.3. Search . 103.4. Bot Ips . 103.5. Attack IPs . 133.6. Malware . 153.7. Hacktivism. 174. Registration . 193

Public Documentation – Limited-disclosure TLP: Green1. IntroductionSplunk App for Blueliv automatically integrates Blueliv's Cyber Threat Intelligence into Splunk.This will add Cyber Threat Intelligence to your existing data, addressing a comprehensiverange of cyber threats including compromised URLs, domains, IPs, etc. to turn global threatdata into predictive, actionable intelligence specifically for your enterprise and the uniquethreats it faces.Our powerful networks, of specialized search engines, scour the web for up-to-the-minutedata and delivers real-time actionable information.Unsurpassed cyber threat intelligence, now at your disposal.2. Setup2.1. RequirementsThis app has been tested on a 6.2 version of Splunk installed on a 64 bits Windows 7Professional and a Debian 7.This app is fully functional in Splunk 6.2 because it uses the latest feature KV Storecollections only available in this version.4

Public Documentation – Limited-disclosure TLP: Green2.2. Installation1. Download Splunk App for Blueliv. Link?2. Open the manage Apps from your Splunk web App and click “install app from file”.3. Upload the file downloaded on the first step.4. Restart your Splunk and Splunk App for Blueliv. It should be available from the Spunk'smain dashboard as shown below.Note that the free installation of the Splunk App for Blueliv provides a small sample of ourThreat Intelligence feed to get used to the plugin before going further.5

Public Documentation – Limited-disclosure TLP: Green2.3. ConfigurationFirstly, you should configure an api-key and proxy settings -if needed. Inside the app, openthe ‘Configuration’ tab. From there, set your api-key under the section API-Key, and specifythe access type (COMMERCIAL/FREE). Once done, click on save and you should be able todownload blueliv’s crimeservers feed.Thread Overview feed settings, allows to force the download of the whole dataset forcrimeservers in the next update, otherwise it will keep receiving the normal chunkedupdates.6

Public Documentation – Limited-disclosure TLP: GreenProxy settings are optional and should only be set if a proxy is needed to access the internet.You can leave any input blank if you do not need it.3. Getting started3.1. HomeOnce inside the Splunk App for Blueliv, the main page (Home) provides you an introductionand the steps to get full access to the Blueliv's Threat Intelligence Feed.3.2. Threat OverviewThis dashboard shows you an overview based on the current data in the local Data Base. Thisprovides geolocation information, the current top 10 affected ASN’s and domains. The lasttrends in Cybercrime.The Crime Server Events plot is linked to the results on “Crime Servers by domain” and“Crime Servers by country”, so when you click on a result the events are listed over time toprovide you the trending on the threat. For instance, in the figure below, China was selectedto get events found in China over time, getting a deeper view on this threat in the CrimeServers Events chart.7

Public Documentation – Limited-disclosure TLP: GreenField NameDescriptionurlCrimeserver’s urlDomainCrimeserver’s domainHostCrimeserver’s hostTypeCategorization of the crimeserverSubtypeSub-categorization of the crimeserverIpCrimeserver’s IPAsnCrimeserver’s ASNLatCrimeserver’s IP latitudeLonCrimeserver’s IP NE/OFFLINE)CountryCrimeserver’s IP countryfirstSeenAtDate when the crimeserver was seen for the8

Public Documentation – Limited-disclosure TLP: Greenfirst timelastSeenAtDate when the crimeserver was seen for thelast tps:// feed is updated every 15 minutes and provide the next lookup tables to enrich your logsand help you to decide ip lookup: List of malicious domain lookup: List of malicious host lookup: List of malicious url lookup: List of malicious asn lookup: List of ASNs that are hosting malware.crimeservers lookup: The entire context needed for each ip, domain, host, url andasn.These lookup tables will help you correlate information from other events, like a proxy, fromIPlevel to url level, allowing you to decide how much accuracy your application needs.You can force to download the full database by pressing the “Restart feed” button. Thisaction does not delete the current data, it downloads all current online crimeservers and adds9

Public Documentation – Limited-disclosure TLP: Greenthem to your local lookup tables. Note that the effects will not take place immediately. Thedatabase will be downloaded as soon as the database is available.3.3. SearchOn this view a threat analyst can create custom searches with multiple inputs such as IP,Domain, Country and date range.3.4. Bot IpsThis tap shows the current state of the Bot IPs feed. It provides information about the lastinserted infected IPs, as well as trends like most infected operating systems or the top 10portal domains that bots are reporting data to a C&C.Field NameBotipDescriptionIP of the infected machine10

Public Documentation – Limited-disclosure TLP: GreenurlUrl where the bot is reporting the leakeddataBotnetipIP where the bot is reporting the leaked dataTypeBotnet categorizationPortalurlUrl where the login attempt was donePortaldomainDomain from the portalurlPortPort from portalurl if presentOperatingsystemOperating System used by the infectedmachineCountryCountry of the botipCityCity of the botipAsnASN of the botnetipLatLatitude of the botipLonLongitude of the botip11

Public Documentation – Limited-disclosure TLP: GreenseenAtDate when the botip was detectedcreatedAtDate of creationCheck more detailed description about this feed at: feed is updated every 10 minutes and provide multiple lookup tables to improve yourlogs. The list below shows all the lookup tables available with the feed:1. bl bot ip lookup: List of the infected IPs ordered by date and the number ofoccurrence in the feed.2. bl bot botnetip lookup: List of the Command & Control IPs where the bots aresending their data.3. bl bot portaldomain lookup: List of domains from where data extracted from botsbelong.4. bl bot portalurl lookup: List of urls that a bot has reported data.All these lookup tables are available from everywhere and can be correlated with any otherkind of event. I.e.: inputlookup name collection 12

Public Documentation – Limited-disclosure TLP: Green3.5. Attack IPsThis dashboard represents the current state of the Attacking IPs feed. Attacking IPs feedsprovides real-time data about attacks from multiple IPs over the world. The feed is enrichedwith geo-location information, timestamp and attack categorization.Field NameDescriptionattackTypeAttack categorizationfirstEventDate of the first event in the attack serieslastEventDate of the last event in the attack seriesnumEventsNumber of events in the attack seriesSourceipSource IP of the attackSourcecountryCountry of the attack source IPSourcecityCity of the attack source IPSourceportUsed ports at sourceSourcelatitudeLatitude of source IP13

Public Documentation – Limited-disclosure TLP: GreenSourcelongitudeLongitude of source IPDestinationportDestination ports of the attackDestinationserviceNameServices name attackeddestinationCountryCountry of the destination IPDestinationlatitudeLatitude of the destination IPDestinationlongitudeLongitude of the destination IPcreatedAtDate of attack series creationCheck more detailed description about this feed at:

Public Documentation – Limited-disclosure TLP: GreenThis feed is updated every 30 minutes and populate a KVStore collection and multiple lookuptables described below.1. attackips lookup: KVStore where all attacks data is stored.2. bl attack ip lookup: List of unique attacking IPs.All these lookup tables are available from everywhere and can be correlated with any otherkind of event. I.e.: inputlookup name collection 3.6. MalwareThe main goal of this dashboard is to be able to check the last analyzed malwares by BluelivPlatform. It integrates the malware feed into Splunk allowing to check binary files by hash inthe provided lookup tables. Every single malware has its confidence score rated as LOW,MEDIUM orHIGH. Blueliv also provides a malware behavioral categorization and some extrametadata from the malware sample itself.Field NameDescriptionfilenameOriginal name of the malware samplecontentTypeBinary content typeMd5MD5 hash of the malware sampleSHA1SHA1 hash of the malware sampleSHA256SHA256 of the malware sample15

Public Documentation – Limited-disclosure TLP: GreenanalyzedAtDate when the sample was analyzed in BluelivplatformfirstSeenAtDate when the sample was seen for the firsttimefileTypeExecutable typefileSizeOriginal size of the malware samplemalwareTypeBehavioral categorization of the malwaresample (PONY, ZEUS, etc)ConfidenceConfidence extracted from Blueliv Platformrated as LOW-MEDIUM-HIGHArchitectureBinary architecture (WIN32, WIN64, etc)Check more detailed description about this feed at:

Public Documentation – Limited-disclosure TLP: GreenThis feed is updated every 10 minutes and populates a KVStore and multiple lookup tablesdescribed below.1. malwares lookup: kvstore that keeps all the data related to this feed.All these lookup tables are available from everywhere and can be correlated with any otherkind of event. I.e.: inputlookup name collection 3.7. HacktivismHacktivism dashboard shows graphic trends about hacktivist activity. On the top, there is aHeat Map that shows the Hacktivism threats detected around the world. At the bottom thereis the TOP 6 hacktivism hashtags list, over the last month.17

Public Documentation – Limited-disclosure TLP: ttps://

Public Documentation – Limited-disclosure TLP: Green4. RegistrationIf you are interested in getting full access to our Threat Intelligence feed, contact us [email protected] to get your API credentials that will allow you to update Splunk App forBlueliv’s local Data Base with current and real-time Threat Intelligence updates.There are two access modes, Commercial and Free. If you are using the free access, somefeatures will be disabled as shown in the image below and the update time will be lessfrequent.19

Public Documentation – Limited-disclosure TLP: GreenIMPROVE YOUR CYBER THREAT [email protected]

2. Open the manage Apps from your Splunk web App and click “install app from file”. 3. Upload the file downloaded on the first step. 4. Restart your Splunk and Splunk App for Blueliv. It should be available from the Spunk's main dashboard as shown below. Note that the free installation of the Sp