Using Splunk Enterprise Security Course Materials
Using Splunk Enterprise Security Course Materials
Using Splunk Enterprise Security Course Materials
Important!
All labs must be completed for
course credit.
Preventive Analysis
Breach Response
Perimeter Defense
– Zero-day investigations
• Insider threat
– Dataexfiltration
– Suspicious privileged account activity
• User Behavior
– Track threatening user behavior
– Classify accounts based on privileged access
Threat 1
intelligence
2 MAIL WEB
Download from WEB FW
Network infected site 7
Activity/Security 8
Email 6
3
Host
Activity/Security 4 5
Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc.
Auth - User Roles,
Corp Context
Using Splunk Enterprise Security
turn data into doing™ 12
Copyright © 2023 Splunk, Inc. All rights reserved | 31 August 2023
The Kill Chain
Attackers use the kill chain methodology to devise and implement
their attacks, but defenders can also use the kill chain to counter
and those prevent attacks
Stage Attacker Activity ES Countermeasures
Delivery Email, website malware, social Threat lists, vulnerability scanning, real-time
engineering, etc. monitoring, access monitoring
Exploitation / Installation Open attachment, download from Protocol Intelligence, file system alerts, intrusion
site, upload from memory stick, etc. detection, port monitoring
Command and Control Execute code, open/copy files, Malware tracking, process alerts, change alerts,
change configuration, etc. analytics
Accomplish mission Upload payload to remote server, Traffic alerts, network analysis, audits
disable services, etc.
Security Auditors
SOC Staff
Vulnerability Scanners
(port scanning, testing
Firewalls/Proxies Intrusion Detection System
vulnerabilities)
• cisco-pix (packet sniffing)
• mcafee
• pa-networks • snort
• nessus
• juniper-networks • dragon-ids
• bluecoat • mcafee
Production Servers
(any operating system)
Network Capture
(Stream) • microsoft-av
• stream:tcp • linux-secure
• stream:udp • windows:*
• stream:http Splunk ES • access-combined
(events, data models)
Documentation site
Configuration tools
2
The details for the KI
opens in Incident Review
Event Severity
Informational Unknown Low Medium High Critical
Asset/Identity Priority
1
Click an item to open the related notable
events in the Incident Review dashboard
2
From the Incident Review dashboard:
a. Drilldown into the details of a notable
b. Take ownership
c. Work the issue
Investigation bar
Notable Events
Investigation bar
Note
You cannot expand an event until the
search is complete. Not all incidents
have all the same detail items.
1
Click Create Short ID for ES to automatically
generate a short ID that makes it easier to
find and share a notable event
2
The Short ID replaces
the Create Short ID link
2
In addition to creating a Short ID, it enables sharing the event via a link:
• Click the Bookmark button to copy the link for sharing
or
• Click and drag the Bookmark button to your Bookmarks bar to save the link
1
Select Associations from the Time or
Associations menu, and Short ID from
the Associations menu 2
Click inside the filter field and
enter all or part of a Short ID
(drop-down appears and filters as you type)
Or
Click and scroll to the Short ID
Note
You can search for one or
multiple Short IDs.
3
Click Submit
ES Admins can define, add new status values and assign values to
different roles, so the statuses in your environment may differ
New - not yet being worked
In Progress - analysis underway Note
Pending - various: work in progress, awaiting action, etc. When a notable is assigned an owner, it is
tracked as an incident in the KV Store.
Resolved - fixed, awaiting verification
Closed - fix verified
4
Click Save changes
As needed, click the + icon on the
Investigation Bar to view an investigation,
add a new one, or click the spy glass to
perform a quick search
Investigation Bar
1
Select View all review activity for
this Notable Event to open a new Tip
search showing all “review” events
for the current issue The `incident_review` macro can
be used in custom searches and
reports for incident status tracking by
directly accessing the KV Store.
2 3
Host Field (event field with the host to
ping (i.e., dest, src, etc.)
6
Find the Ping action in the
Note
list of Adaptive Responses,
click Ping to view the If there is an investigation selected in the
results Investigation Bar, Adaptive Responses will
display an Action column with the option to add
the response to the current investigation.
Note
UBA must be installed on the ES
search head for this Response
Action to be available.
Note
The end date is optional. If left blank, all
future notable events from the dest field
AND signature are suppressed.
Time Range
Action Menu
As we’ve seen, Correlation Enrich risk attributions by When an entity’s risk score or
Searches adaptive responses appending relevant context like behavioral pattern meets the
attribute risk scores to entities a risk score or a MITRE predetermined threshold, a
when something suspicious ATT&CK technique Risk Notable event is triggered
happens. Risk attributions are
written to the risk index
Click an individual
event for the details
Expand for
details
investigation
• The risk value entered is Risk Score: positive or negative
Important!
If you are expecting to see enhanced
data for a particular object, double
check the configuration in the Assets
& Identities Management interface.
Important!
Default ess_analyst view. Users must have
the edit_modinput_identity_manager
capability to make changes in the
A&I Management interface.
Tabs
Time range
1
Select
Artifact(s)
Note
Workbench will be blank until you
select artifact(s) and click Explore.
2
Click Explore to display
selected artifacts in the
workbench Expand panel view
Context Panels Endpoint Data Panels Network Data Panels Risk Panels
• Risk Scores • File System Changes • Web Activity • Risk Scores
• IDS Alerts • Registry Activity • Email Data • Recent Risk Modifiers
• Notable Events • Process Activity • Network Traffic Data • MITRE ATT&CK
Techniques
• System Vulnerabilities • Service Activity • DNS Data
• MITRE ATT&CK
• Latest OS Updates • User Account Changes • Certificate Activity tactics
• Computer Inventory • Port Activity • Network Session Data
• Authentication Data
1
When exploring, click a 2
value to add it as an artifact Enter details and click
Add to Scope
Investigation Bar
1
Enter a title 2
2 Modify time as
Click to add a note needed
default = now
Note
If you create a standard note, and do 3
Enter comments
not check the Show on Timeline box,
the note will show under Notes as a
“draft” note.
4
Add attachments (text or
1 binary format). 4MB max per
Click to view notes 5
file and are stored in KV Store.
2
Select type
5
Select items
6
1
Select Action History
or
or
Add source events from
a search result
3
Click a collaborator
initial to remove or
change write
permissions
2
Search and/or click a
username to add as a
collaborator
4
Select whether they have “write
permission” and click Done
investigation, the
status is New
• Investigations can
only be deleted by
admins
2
• Analysts can delete Edit the Title, Status, and
Description of the investigation
investigation entries
3 Enter a type,
2
Click a Value to add description and
it as an artifact label as needed
View
details
Edit or delete entries or open in
Incident Review
2
Enter new title and Save
Toggle the
Investigatio
n Timeline
Investigation
Timeline Zoom Entries
Jump to start
New malware
identification
**Splunk is adding new Correlation Searches all the time. Check the Enterprise Security documentation to view the specific searches
available for your version ES
Distribution of
Distribution of
Distribution of assets by category
assets by
assets by priority
business unit
Asset Investigator Examine a specific asset, such as a server or workstation, and compare events over time
in parallel lanes showing different types of activity
Identity Investigator Examine a specific identity and compare events over time in parallel lanes showing
different types of activity
Access Anomalies A survey of network activity by users, highlighting anomalous access (one user account
being used multiple times)
User Activity A survey of people and their actions, focused on watchlisted or high-risk users
Asset information
Start End
Dragging the pan/zoom controls changes the time frame for the
search and re-executes the search, showing only the activity in the
selected range
Sorted by risk
Sorted by
size
View authentication
attempts from different IP
addresses and
improbable travel
anomalies using internal
user credentials and
location-relevant data
HTTP Category Explore the types of websites being accessed in the network
HTTP User Agent Examine the web user agents being used on the network
New Domain See what external domains are being accessed
URL Length Examine request URLs for unusual contents
http://www.websense.com/content/support/library/web/v85/siem/siem.pdf
Using Splunk Enterprise Security
turn data into doing™ 177
Copyright © 2023 Splunk, Inc. All rights reserved | 31 August 2023
HTTP User Agent Analysis
Investigate user agent strings in proxy
data to detect potential threats
3
To remove a highlighted or filtered field,
right-click on the row and click Remove
rows. In the example, the category
”unknown” has been filtered out and is
shaded in blue in the lookup
4. Click Save
Note
Events can only be "unfiltered" directly 3
from the lookup by removing the
corresponding row. (Filtered events
are not visible from the UI). 4
• Threat Gen searches run by default every 5 minutes and scan for
threat activity related to any of the threat collections
– Whenthreat matches are found, events are generated in the
threat_activity index and appear in the Threat Intelligence data model
• The data model is scanned by the Threat Activity Detected
correlation search and new notables for threat activity are created
Use the Threat Artifact menu to search drill down into the categories to see more
details about each type of threat (Network, Endpoint, Certificate, Email)
• Tasks:
1. Review threat activity
2. Add a local IP address to the ip_intel KV Store
Protocol Center An overview dashboard showing protocol activity across the network
Traffic Size Analysis An analytical dashboard showing network traffic rates and trends
DNS Dashboards showing an overview of activity of DNS queries and a search interface
SSL Dashboards for analyzing SSL certificate activity
Email Dashboards for analyzing email activity
Production Servers
with forwarders and
Stream add-on or
network data
Capture network data and
forward to indexers
Splunk ES Indexers
If using the Stream app, Store captured data
it is installed here
Execute and display
search results
Captured data does not
include message content
unless specifically configured
An exploited protocol
may display a
disproportionate
number of connections
for its service type
https://www.splunk.com/en_us/products/mission-control.html
https://www.splunk.com/en_us/products/splunk-security-orchestration-and-automation.html
Using Splunk Enterprise Security
turn data into doing™ 218
Copyright © 2023 Splunk, Inc. All rights reserved | 31 August 2023
User Behavior Analytics (UBA)
• Splunk User Behavior Analytics (UBA)
is a separate solution that extends your
ability to detect insider threats
– Sendthreats and anomalies from UBA to ES to adjust risk scores
and create notable events
https://www.splunk.com/en_us/products/user-behavior-analytics.html
Scorecards display a
real-time summary view
of your compliance with
the PCI data security
standard in each of the
Incident Review links to the requirement areas
dashboard filtered to notable events
with governance = “pci”
• A user interface to create and edit lookups within the Splunk platform
– Provides an Excel-like interface for editing, importing, and exporting lookup files
(KV store and CSV-based)
– Ensures that lookups work in Search Head Clustered environments (edits to
lookups are propagated to search heads)
– Maintains a revision history for lookups that provides the capability to view or
restore older lookups quickly in the interface
https://docs.splunk.com/Documentation/LookupEditor
Splunk Education Course(s) (recommended, but not required for this certification track). Either course path is acceptable
• Enterprise Support
– Access customer support by phone and manage your
cases online 24 x 7 (depending on support contract)
Using Splunk Enterprise Security
turn data into doing™ 237
Copyright © 2023 Splunk, Inc. All rights reserved | 31 August 2023
Thank You
Note
For a list of all enabled and disabled
correlation searches, remove
| where disabled=0.
Total ESCU
stories Version
Applicability to frameworks:
Kill Chain, CIS Critical
Security Controls, etc.
1
Click items in visualizations or
use drop-downs to filter details
Deselected
Searches
TruSTAR Report
Pass-through/Original Score
Actor(s)
Malware Families
Normalized Score