Hands-On Security Breakout Session- ES Guided Tour
•
2 gostaram•1,887 visualizações
Hands-On Security Breakout Session- ES Guided Tour
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Hands-On Security Breakout Session- ES Guided Tour
Semelhante a Hands-On Security Breakout Session- ES Guided Tour (20)
Mais de Splunk
Mais de Splunk (20)
Último
Último (20)
Hands-On Security Breakout Session- ES Guided Tour
- 1. Copyright © 2015 Splunk Inc. Hands-On Security ES Guided Tour San Diego, July 2015
- 2. Copyright © 2014 Splunk Inc. Name: AWS2015 Access Code: AWS2015
- 3. 3 Safe Harbor Statement During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described orto includeany suchfeatureor functionalityina futurerelease.
- 4. 4 Agenda What is the Splunk App for Enterprise Security? Guided Tour – General Overview – Common Information Model – Incident Response Exercise – Creating a Correlation Search Questions?
- 7. Machine Data contains a definitive record of all Human <-> Machine & Machine <-> Machine Interaction Splunk is a very effective platform to collect, store, and analyze all of that data.
- 8. Mainframe Data VMware Platform for Machine Data Splunk Solutions > Easy to Adopt Exchange PCISecurity DB Connect MobileForwarders Syslog / TCP / Other Sensors & Control Systems Rich Ecosystem of Apps Across Data Sources, Use Cases and Consumption Models Stream 8
- 9. Rapid Ascent in the Gartner MQ for SIEM 9 2012 20132011
- 10. 10 ES Fast Facts • Version 3.3 of the product is shipping now • We release at least twice a year and add lots of new content • Content ideas come from industry experts, market analysis, focus groups, internal brainstorming, but most importantly YOU • All of the great things about Splunk carry through into ES – this makes it flexible, scalable, fast, and customizable. It leverages everything cool about Splunk. • ES has its own development team, dedicated support, services practice, and training courses
- 11. ES Guided Tour
- 12. 12 Log in with your credentials. Use any modern web browser (works better with non-IE).
- 13. 13 Click on Security Posture Launch page for all major sections of ES app ES Content dropdowns Splunk app context
- 14. Security Posture
- 15. 15 Key Security Indicators Notable Event info sparklines editable
- 17. 17 Bring up a new tab to http://splunkbase.com and search for “common information model”. Click the first link that comes up.
- 18. 18 Type “Fireeye Add On” into this search box and press enter.
- 19. 19
- 21. 21 Navigate to Security Domains -> Endpoint -> Malware Center
- 22. 22 Click on “Mal/Packer” bar Click Various ways to filter data KSIs and rest of dash Malware specific
- 23. 23 Raw data coming from Sophos Various ways to filter data Click back button
- 24. 24 Click on “Hacktool.Rootkit” bar Click
- 25. 25 Raw data coming from SEP/SAV Same dashboard, different data source
- 26. 26 Click on Search -> Pivot Click
- 27. 27 29 (20 shown) Security-relevant data models from CIM Click on Malware Click
- 28. 28 Click “>” next to Malware Attacks Click
- 29. 29 CIM attributes related to malware Click Malware Attacks to pivot Click
- 30. 30 Filter Timeframe to Last 60 Minutes Change Total count of attacks Change to over Time (area) Click
- 31. 31 The time range we selected Split out by signature with add color Click
- 33. 33 Can save as report, dashboard panel
- 34. 34 Review security domains available Click
- 39. 39 Searches that rely on this data model How much of ES can I use? What else could I onboard? (more) searches that rely on this data model Instructor Only
- 40. Risk Analysis
- 42. 42 Filterable KSIs specific to Risk Risk assigned to system, user or other Sort by object type, scroll Click
- 43. 43 Page through to see other objects Click Recent risk assignment and sources sorted
- 44. 44 Can ad-hoc risk onto object
- 45. Threat Activity
- 47. 47 Filterable, down to IoC KSIs specific to Threat Category of IoCs Most active threat source Scroll down… Scroll
- 48. 48 Specifics about recent threat matches
- 49. 49 Configure -> Data Enrichment -> Threat Intelligence Downloads Click
- 50. 50 Open-source and commercial threat sources TAXII support Click “sans”
- 51. 51 URL to retrieve data from Weight used for “risk” How often (12h) How to parse Click back button Click
- 53. 53 Artifact Categories – click different tabs… STIX feed Custom feed
- 54. 54 Click “Threat Intelligence Audit” Click
- 55. 55 Status of downloads Date of last update Details on download
- 56. 56 Review the Advanced Threat content Click
- 57. Reports
- 59. 59 Over 330 reports to use or customize Filter (try “malware”)
- 62. 62 Click “Threat Activity Seen from Endpoint – Zeus Demo” – you may have to go to page 2 or 3 to see this event. Click
- 63. 63 Throttling turned off for purposes of exercise
- 64. 64 Check the checkbox next to the event matching your timerange Click Click “edit all selected” after you’ve selected the event
- 65. 65 Fill out Status: In Progress. Urgency: High. Owner: <your persona>. Comment: <whatever you want>. Populate Click
- 67. 67 Recent activity on event Ownership Data from asset framework
- 68. 68 Drill down on “115.29.46.99” and select Domain Dossier Click Click Pivot off of everything. Go internal or external. Customize.
- 69. 69 Oh look! China! Click back to Incident Review
- 70. 70 Drill down on “115.29.46.99” and select “Web Search as destination” Click Click
- 71. 71 Lots of data Malicious IP, TCP instead of HTTPS… Only one internal address, that’s good… Change to 24 hoursClick back to Incident Review
- 72. 72 Drill down on “cgilbert- DC3A297.buttercupgames.com” and select Asset Investigator Click Click
- 73. 73 Data from asset framework Configurable Swimlanes Darker=more events All happened at ~same time Change to “Today” if needed Change
- 74. 74 Select “Exec File Activity” vertical bar
- 75. 75 “calc.exe” running out of the user profile? Hmmm…. Drill into the raw events
- 76. 76 Raw events from Microsoft Sysmon Splunk automatic field extraction Type “calc” at end of search and hit enter
- 77. 77 Raw term search highlighting Click “>” to see event field mapping
- 78. 78 Parent/child relationship. Calc.exe was dropped by PDF Reader. Looks like Chris Gilbert was reading his email and opened an attachment. Scroll to other event Scroll
- 79. 79 Click “>” to see event field mapping
- 80. 80 Parent/child relationship. svchost.exe was dropped by calc.exe. Click on Image name
- 82. 82 New search for unique pattern in the data… Click “DestinationIp” Click
- 83. 83 There’s our malicious IP! We now know that something calling itself “svchost.exe” dropped by something calling itself “calc.exe” which was in turn dropped by our PDF reader, upon opening weapolized PDF, is communicating to a “known bad” IP address. Scroll down… Scroll
- 84. 84 Click “threat_intel_source” Click There’s the threat source it maps to We could take this further by investigation of email logs, or wire data from Chris’s laptop, or access logs to determine how this PDF got stolen, but in the interest of time let’s update our event… Click back to Incident Review
- 85. 85 Select event and “Edit all selected” Click
- 86. 86 Fill out Status: Pending. Urgency: Low. Owner: <your persona>. Comment: <whatever you want>. Populate Click
- 90. 90 Hit the green button… Click Totally fake! But also totally possible. Click back to Incident Review
- 92. 92 Recent review activity appears in the panels Click a reviewer name
- 93. 93 Detailed review activity scoped to the reviewer you clicked on.
- 94. Creating a Correlation Search
- 97. 97 Click “Open in Search” for the “Successful Portal Brute Force” report Click
- 98. 98 Returns data if we see a lot of logon attempts and then access to portal admin pages from a single IP on a known threat list
- 99. 99 Select the text of the search with your mouse and copy to clipboard.
- 100. 100 Go back to the Enterprise Security app
- 101. 101 Select “Custom Searches” under Configure -> General
- 102. 102 ~200 correlation searches, KSIs, Swimlanes, etc Click “new”
- 104. 104 We’re going to fill out this form…but sit tight.
- 105. 105 Second half of the form after scroll down How to assign risk Other actions of interest (like Stream Capture)
- 106. 106 Correlation Search Cheatsheet 1 Search Name: <your user name>– Brute Force Against Web Portal App Context: SA-zeus-demo Search: Paste in from your clipboard Start: -7d@d End: now Cron Schedule: */2 * * * * Window Duration: 600 Group By: clientip threat_intel_source
- 107. 107 Correlation Search Cheatsheet 2 Notable Event: (check the checkbox) Title: <your username here>- Brute Force on Web Portal from $src$ detected Description: There have been $logonattempts$ logon attempts and $adminloads$ admin page loads from an $threat$ ip Security Domain: Threat Severity: Critical Default Owner: <your persona> Default Status: New When done, click Save
- 109. 109 Search for events owned by you (remove All) Note custom description
- 110. Q & A
- 111. 111 www.splunk.com/apptitude July 20th, 2015 Submission deadline
- 112. The 6th Annual Splunk Worldwide Users’ Conference September 21-24, 2015 The MGM Grand Hotel, Las Vegas • 50+ Customer Speakers • 50+ Splunk Speakers • 35+ Apps in Splunk Apps Showcase • 65 Technology Partners • 4,000+ IT & Business Professionals • 2 Keynote Sessions • 3 days of technical content (150+ Sessions) • 3 days of Splunk University – Get Splunk Certified – Get CPE credits for CISSP, CAP, SSCP, etc. – Save thousands on Splunk education! 112 Register at: conf.splunk.com
- 113. 113 We Want to Hear your Feedback! After the Breakout Sessions conclude Text Splunk to 878787 And be entered for a chance to win a $100 AMEX gift card!
Notas do Editor
- Introduce yourself
- We don’t have a ton of time and ES is quite a feature-rich product. It would take many hours to go through everything the app can do. So we’ll spend only a few minutes on some intro slides, and then the great bulk of this session will be hands-on.
- Now unfortunately, you do need a modern laptop with a modern browser to participate. You can probably get away with a Surface or something like that, but iPads, old browsers, and especially IBM PCjr’s will not work. (don’t laugh – I actually had one of those.)
- Everything I’m going through up here has been pretty well documented in a word doc. You can use the link here to get that doc, or if you’re really interested in it later come see me. You won’t need it right now though. Each of you has creds – there are 10 fairly large Amazon EC2 instances that have been provisioned for this exercise and if we’re at capacity there will be 12 of you on each. Now’s a good time to try hitting that URL and logging into Splunk.
- Splunk excels at creating a data fabric Machine data: Anything with a timestamp, regardless of incoming format. Throw it all in there! Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting. DETECTION NOT PREVENTION! ASSUME BREACH! So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.” So if you had a place to see “everything” that happened… ….what would that mean for your SOC and IR teams?
- The Splunk platform consists of multiple products and deployment models to fit your needs. Splunk Enterprise – for on-premise deployment Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud Hunk – for analytics on data in Hadoop Splunk Mint – to get insights into data from Mobile devices The products can pull in data from virtually any source to support multiple use cases. Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
- We’re pretty proud of this – and by the way for 2014 we were right around the same ranking. When Gartner compares SIEM technologies it is the Splunk App for Enterprise Security they are looking at. We have some good company up there – all of those products are decent solutions. But they’re all quite security-focused, and any other use cases like IT ops, app dev, internet of things, business analytics – all of that is either nonexistent or secondary. 42% Field focus – Haiyan Song, security marketing, security practice, security development, security field expertise Used to see complement, now see replace – the 90% of the time in Splunk – why maintain the old technology if you’re not using it? A huge driver – the main driver of this, is the app for enterprise security…
- 3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models. Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless. Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable. Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem. ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
- This should look familiar to you. What we’re doing here is giving a starting point for any Security Analyst to understand at a high level what’s going on in the environment. A single pane of glass, if you will, for all security data. Everything we are seeing here is customizable – the panels, the indicators, via standard Splunk functionality. Most of the data on this dashboard is centered on Notable Events. Notable Events are a concept unique to Splunk with ES – there’s an entire Notable Event framework that allows us to perform simple or complex correlations, and then create events by analyzing disparate events from disparate sources. Notable Events in ES are categorized into various high-level security domains: access, audit, identity, network, and threat. We’ll see those categories throughout the app. You can see Splunk Sparklines here – these little green lines. These are great for detecting quick trends in the security events – a continuous line means something constant, which could be a heartbeat or a scripted attack. A spike could be a single attack or maybe just someone fat-fingering their password a few times. We’ll drill into some of these incidents in a few minutes, but let’s continue on with our tour. How does all this data get into Splunk?
- We’ve just discussed that there are various security domains at play within ES. And we know Splunk can onboard a ton of data from many disparate sources, all security relevant. But in an organization of any size, you have a lot of different sources – sometimes multiple vendors providing the same kind of data. We need a way of standardizing all of this data, and that published model (which is available outside of ES, by the way) is Splunk’s Common Information Model, or CIM.
- The common information model, or CIM, is absolutely key to how ES works. Case in point: you might have four different endpoint protection solutions in your environment: Symantec, Sophos, McAfee, and Trend. Each can send data to Splunk in different ways, and each identifies key data in a certain way. However they will all have similar data – in this case things like infected host, how many infections per host, the name of the infections found, etc. Well, Sophos might call the name of an infection “signature” while Symantec might call it “infection” and Trend might call it “malware name.” CIM allows ES, and any other Splunk app that leverages it, to process those fields in a standard way AT SEARCH TIME so that it’s easy to correlate disparate system data and onboard new data. CIM does this by mapping the incoming data to fields found in a published Data Model. Data Models exist in CIM for all sorts of security relevant data: IDS, firewalls, endpoint protection, email, DNS, you name it. CIM is free. You don’t need to buy ES to use it. And we encourage our partners to use it too: if we go back to Splunkbase and search for “fireeye add-on” you will see that the latest FireEye add-on for Splunk is, in fact, CIM compliant:
- So what does the data look like once it’s onboarded into Splunk in a CIM-compatible format? Let’s look at one example in ES: Malware Center.
- Here we have a simple dashboard showing us all sorts of detail about recent malware activity in the environment. Like Security Posture, this is high level information, but more granular about a certain security domain (Malware, which is under Endpoint). We have these “centers” throughout ES for things like Access, Traffic, Intrusions, Updates, Vulnerabilities, and many other security-relevant areas, and you can investigate them later. For now, let’s drill into two of the “top infections” to see CIM at work. Looking at this dashboard we can’t tell that we actually have at least two different endpoint protection systems feeding data into Splunk: Sophos, Trend Micro, and Symantec Endpoint Protection. Splunk normalizes the data on search time, according to CIM, to create this (and the other) dashboards. Click on Mal/Packer, and you’ll see that this infection was detected by Sophos. The raw logs are literally a click away:
- Note that in this data, Sophos calls the “signature” “EventName” but Splunk is normalizing that to “signature” upon search time, which is why we can search on it as “signature.”
- Two different Symantec products are feeding data to Splunk: SEP and SAV. And both call the “signature” something different, but again, Splunk normalizes this upon search time. So now we understand a little more about CIM. What are the various data models in CIM that ES uses? To figure that out, let’s look at Pivot, which is a core Splunk feature allowing non-technical users to interact with a data model:
- This will bring up the 29 data models that ES leverages:
- And as an example, let’s see what kind of fields are defined for Malware by clicking on Malware and then the down arrow next to Malware Attacks to see all of the fields in the Malware data model:
- Let’s do a quick pivot to show what we can do with these fields. First we’ll load up the Malware Attacks data model and change the time to last 60 minutes. Then we’ll go to an area chart which by default shows us this time period stretched out on an X axis…
- So these are overall malware attacks over the last 60 minutes in our environment. Let’s split out by the signatures….
- And once you’ve gotten the report looking the way you like it. You can save it as a report or dashboard panel.
- We don’t have time to go through each and every one of the dashboards in the ES app. However, let’s just see that up here under Security Domains, we have the four major ones:
- Access…
- Endpoint…
- Network…
- Identity….
- The more data you have flowing into Splunk and into ES, the more useful it becomes. And ES is self auditing to tell you which data sources you are missing:
- In version 3.1 of Enterprise Security we introduced a full Risk Analysis framework. This is unique because we allow you to assign an arbitrary risk number, that means something to you, based on a notable event. You can assign risk to a user, or to a system, or to some other object that you see in the environment – perhaps a particular piece of malware is considered risky to you so you elevate the risk on the malware “object” itself. Let’s bring up the Risk Analysis page associated with Advanced Threat:
- The main reason why this risk framework is important is that it gets you away from writing specific rules for specific threats or assets. You don’t need 1,000 correlation rules anymore – you simply can elevate risk scores on whatever object you want, based on the behavior you’re seeing in the environment. So the idea here is, a correlation rule fires, and then a risk modifier takes effect and changes the risk score based on cumulative scoring of whatever else has happened to that user, or system, or other object. On the dashboard, we can define filters to find a particular system or user or timeframe. Note the natural language descriptions (in the screenshot they are medium and low). We track how your overall risk scoring is doing over time, and constantly re-calculate the baseline. Got a lot of activity going on that isn’t “normal” for that timeframe and you might see things going from “increasing minimally” to “extremely increasing” – all based on what the historical norm is. We can of course see which objects have the highest risk and which correlation rules are contributing the most to the highest risk.
- Note we can assign risk ad-hoc by clicking the “Create Ad Hoc Risk Entry” button in the upper right. Now, how does the risk get assigned in a correlation search? When we go to build a correlation search, we will see that, so stay tuned.
- Threat intelligence is a growing field in infosec these days. There are entire companies that just offer customized threat feeds that you can subscribe to in order to understand threat artifacts in your environment and how they affect your security posture. There are open-source and community sources of threat intelligence. You may create your own threat intelligence. And you may be a member of an ISAC that offers a feed of threat intelligence specific to your industry. Let’s go to the Threat Activity dashboard and talk a little about how Splunk handles external threat intelligence.
- On the dashboard we can see that we’re using the power of Splunk search to match artifacts in our incoming data against IoC’s we find in our threat feeds. Splunk de-duplicates the threat feeds so that if an artifact shows up in multiple feeds you don’t get duplicate notifications. We can filter the display by threat_group, which is essentially the source of the IoCs. This could be something commercial like ThreatStream or ThreatConnect or Norse, something open-source like Sans or iblocklist, or something from your ISAC that is delivered over a TAXII feed in STIX format. The threat collection shows that we can use various IoCs to match up against artifacts in our data – IP addresses, domain names, URLs, filenames, certificate common names and organizations, email addresses, registry keys – as long as it can be defined in your incoming feed or locally, you can use it as an IoC. You can see the most active threat sources, and if you scroll down, you can see the most recent matches against your threat feeds. How are these configured? Let’s go to the configuration, and see.
- This is the main configuration page for the threat intelligence downloads. Most of these are simply URL grabs of files that are regularly updated, and then there’s some parsing that occurs to put the data into a format that Splunk can leverage it as a lookup from the KV store. As of 3.3 Splunk natively supports TAXII feeds containing data in STIX format. It also supports OpenIOC documents. Let’s look at the sans blocklist entry…
- There are a lot of options here, some of the more basic ones are the URL to grab the data, the interval (this one is every 12 hours) and the weight. Weight is used during risk scoring – if you increase the weight here, then when IoCs from this source match in your data the risk score assigned to that object will be higher. Note that you can create your own local threat lists and keep them updated automatically, or edit them manually. There’s one called “bad_ips” in this demo environment that we will use shortly.
- Rounding out the Threat Intelligence capabilities are the Threat Artifacts browser, which allows us to search through all of the artifacts stored in ES:
- And the Threat Intelligence Audit, which shows us how up-to-date our threat intelligence is and if there are any issues in downloading content:
- We don’t have time to go through each and every one of the advanced threat capabilities in the ES app. However, let’s just see that up here under Advanced Threat we have some very interesting capabilities: Some of the most useful ones are the Protocol Intelligence that leverages wire data from things like Splunk Stream, Netflow, and Bro. Also the Access Anomalies and User Activity, which are very useful to detect possible insider threat. And the New Domain Analysis, which analyzes traffic patterns and DNS queries to domains, and then tells you if you have devices communicating with recently registered garbage domains (that are often associated with DGA). Again – this is something you can go through on your own time.
- ES isn’t limited to just dashboards. There’s over 300 reports that come in the product that range from simple to complex, and each can be used as is or modified as you see fit. Again, they are typically mapped to security domains.
- Let’s go back to close to where we started with this tour, and interact with a notable event. We’ll pretend that we have an infected system – a workstation – in our environment that has been infected with Zeus and now it is communicating with known Zeus C2 servers.
- We’ll start back on Security Posture.
- On the Top Notable Events panel (bottom left) find the event “Threat Activity Seen from Endpoint – Zeus Demo” and click it. This will lead you to Incident Review.
- Now what we’ve done here is adjusted the throttling. Normally you would not have the same notable event happening over and over again every 10 minutes – you might throttle so that this event happens only once per day. But for this exercise we need to have lots of the same event to play with.
- We will see all of the details of the event, including our most recent comments and ownership activity.
- So we know from the title of the event that we have a device on our network communicating out to a known bad IP address that’s a Zeus C2 address. But Splunk has enriched this event with some very useful info. We can see here that this particular machine is a laptop, and that it is owned by someone in Sales named Chris Gilbert. We see the IP addresses associated with the communication. We see the locations that this person Chris Gilbert works from. This correlation happens automatically against our ES Asset and Identity frameworks – we get the information an incident responder needs right up front. Everything we see here is pivotable. We can go to places within ES, within Core Splunk and outside of Splunk too, and use that field as an argument. As an example, let’s drill into the arrow next to “Destination” and see what Domain Dossier has to say about this external IP address:
- We can see that this netblock is assigned to an organization in China. While there are a lot of these “workflow actions” associated with Notable Events configured already in the product, you can feel free to create custom ones. Next, let’s understand what else has been going on with this laptop.
- One thing that we assume is that traffic from laptops outbound to C2 servers occurs via web proxy, at least when the laptops are on our corporate network. So we can look in our proxy logs to verify.
- Note that we have only one source machine (Chris Gilbert’s laptop at 192.168.56.102) communicating with this known bad IP. That’s good at least – this doesn’t appear to be a widespread infection. Some other interesting things about this data – notice a fairly large transaction in terms of bytes. Notice also that the connection is “tcp” over port 443 not “https” which would be considered normal.
- Go back to the notable event and let’s look at Asset Investigator to get a more detailed view of this possibly-infected asset:
- Asset Investigator shows us, at the top, all of the things we know about this asset from sources such as CMDBs or Active Directory. It also has multiple “swimlanes” that visually show you what’s been going on with the asset: We can see Threat List, Exec File, IDS, and Notable Events associated with this asset, most of those happening right around the same time (this was likely the time of infection).
- Click on the Exec File Activity orange vertical bar and you’ll see details about that swimlane appear in the right panel (note you can select multiple bars by holding down Ctrl (CMD) or clicking and dragging). Note that we have a strange file here – calc.exe shows that it was running at this time, but it’s running out of the user profile and not where it normally runs, so that’s a bit concerning. Click the magnifying glass to see the events underneath.
- These are all Microsoft Sysmon events. Sysmon is a great, free utility from Microsoft that is lightweight and runs on all modern Windows variants. We’re simply collecting this data from Sysmon into Splunk, in real time, from our workstations. It gives us granular process data that includes parent/child relationships, hash data, and network connections, among other things.
- Note that the second event is that strange calc.exe event. Let’s click the small arrow to the far left of the event:
- And here we can see that something calling itself calc.exe was actually dropped by the PDF Reader, when it opened up a file, delivered by Outlook, called “2nd_qtr_2014_report.pdf.” Now, we’re assuming that Chris Gilbert has been spearphished in some way, and opened up a weaponized PDF attachment. But what’s communicating out to that malicious IP we saw in the Notable Event: 115. 29.46.99? You could always just search through Sysmon data for that IP, but instead, let’s point and click our way through.
- Here you can see the parent-child relationships quite easily. Next click on the Image field that contains “svchost.exe” and do a “new search” from the popup that comes up:
- And if you click on “DestinationIp” in the extracted fields on the left, you’ll see our malicious IP address. We now can confirm how Chris’s machine was infected, and what processes are responsible for communicating to known-bad systems. There are further investigations we can do in this data, for example, we can investigate email logs to figure out where the email came from, and we can update our threat intelligence feeds to block the senders and domains responsible for this spearphishing. However, in the interest of time, let’s update our incident and move on.
- Go back to the incident, and edit it again. This time, change the status to Pending, the urgency to low, and add a comment that you’ll open a ticket so that the laptop can be re-imaged.
- This will lead you to a customized page where you can open a ticket. These types of integrations are relatively easy to build due to Splunk’s flexibility.
- Finally, let’s see some of the auditing that ES does of the activity carried out against Notable Events.
- The recent activity that you have carried out should appear in the panels. Clicking on a reviewer’s name will bring you detail about that reviewer’s activity.
- To finish up, let’s do a little exercise to understand how correlation searches are created. They can be very simple, or very complex, or somewhere in between. They can be standard Splunk searches against the raw data collected by ES, or they can be against accelerated data models (and many of the standard ones are). We learned from the exercise above that we had a brute-force attack on our web portal that resulted in the exfiltration of a sales report that was then weaponized. How about if we have a correlation search that looks for that behavior and alerts us to it?
- This is a search that’s been created that returns any IP address where we see, over the timeframe selected, a lot of login attempts (greater than 10) and then loading of the admin pages of the portal from that same IP. If any IP address returns from the search, we can consider this an alertable event.
- Note that you could turn this into a simple Splunk alert by just doing a “save as” alert and running it regularly. But we want to see how to turn this into a Notable Event in ES. Using your mouse, select the entire text of the search and copy it to the clipboard.
- And finally, I would like to encourage all of you to attend our user conference in September. The energy level and passion that our customers bring to this event is simply electrifying. Combined with inspirational keynotes and 150+ breakout session across all areas of operational intelligence, It is simply the best forum to bring our Splunk community together, to learn about new and advanced Splunk offerings, and most of all to learn from one another.