enterprise security biology iii - splunkconf · user_realnames_lookup notable_owners_lookup....
TRANSCRIPT
![Page 1: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/1.jpg)
© 2 0 1 9 S P L U N K I N C .
© 2 0 1 9 S P L U N K I N C .
Enterprise Security Biology III:Incident Review Framework
John Stoner | Principal Security Strategist
October 2019
![Page 2: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/2.jpg)
During the course of this presentation, we may make forward‐lookingstatements regarding
future events or plans of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual
events or results may differ materially. The forward-lookingstatements made in the this
presentation are being made as of the time and date of its live presentation. If reviewed after
its live presentation, it may not contain current or accurate information. We do not assume
any obligation to update any forward‐lookingstatements made herein.
In addition, any information about our roadmap outlines our general product direction and is
subject to change at any time without notice. It is for informational purposes only, and shall
not be incorporated into any contract or other commitment.Splunk undertakes no obligation
either to develop the features or functionalities described or to include any such feature or
functionality in a future release.
Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk
Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States
and other countries. All other brand names, product names, or trademarks belong to their
respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-LookingStatements
© 2 0 1 9 S P L U N K I N C .
![Page 3: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/3.jpg)
© 2 0 1 9 S P L U N K I N C .
Principal Security Strategist@stonerpsu
20+ years kicking around databases, ISPs and cyber
4.5 years at Splunk
Creator of SA-Investigator
Co-editor and author Hunting with Splunk: The Basics blogs
Assist in steering the BOTS ship
Developed APT Scenario for BOTS IV
Develop workshops on hunting and investigating with Splunk
John Stoner
![Page 4: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/4.jpg)
© 2 0 1 9 S P L U N K I N C .
Agenda
Enterprise Security Frameworks
Correlation Searches
Notables
Incident Review
Event Sequencing & Audit
Incident Management Framework
![Page 5: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/5.jpg)
© 2 0 1 9 S P L U N K I N C .
Enterprise Security Frameworks
Threat Intelligence
Incident Management
Asset & Identity
Risk Adaptive Response
![Page 6: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/6.jpg)
© 2 0 1 9 S P L U N K I N C .
Incident Management aka Notable Event Framework
![Page 7: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/7.jpg)
© 2 0 1 9 S P L U N K I N C .
Central to Enterprise Security
Incident Management
Threat Intelligence
Asset & Identity
Risk
Adaptive Response
![Page 8: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/8.jpg)
© 2 0 1 9 S P L U N K I N C .
Why Should I Care About IM Framework?Practical Application of Context
![Page 9: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/9.jpg)
© 2 0 1 9 S P L U N K I N C .
Our Goal Today?
Better understand how Splunk processes notable events in Enterprise Security
Better Insight = Better Understanding =Better Troubleshooting =More Effective Use
Insert Woman’s World Cup Highlight Reel Goal
![Page 10: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/10.jpg)
© 2 0 1 9 S P L U N K I N C .
Notable Event Frameworkhttp://dev.splunk.com/view/enterprise-security/SP-CAAAFA9
![Page 11: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/11.jpg)
© 2 0 1 9 S P L U N K I N C .
Notable Event Framework/../savedsearches.conf
incident_review_comment_lo
okup
incident_review_lookup
Other Apps
DA-ESS-ContentUpdate
(ES Content Updates)
SA-UEBA
user_realnames_lookup
notable_owners_lookup
DA-ESS-ThreatIntelligence
DA-ESS-NetworkProtection
DA-ESS-IdentityManagement
DA-ESS-EndpointProtection
DA-ESS-AccessProtection
Adaptive Response
Action
Incident
Management Data Model
Incident Review
/../savedsearches.conf
index=Notable
Enterprise Security
reviewstatuses_lookup
Other Actions
(Risk, Phantom,
Cisco)
SA-ThreatIntelligence
SA-NetworkProtection
SA-IdentityManagement
SA-EndpointProtection
SA-AuditAndDataProtection
SA-AccessProtection
correlationsearches_lookup
log_review.conf
![Page 12: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/12.jpg)
© 2 0 1 9 S P L U N K I N C .
Why This Presentation...
![Page 13: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/13.jpg)
© 2 0 1 9 S P L U N K I N C .
Correlation Searches
![Page 14: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/14.jpg)
© 2 0 1 9 S P L U N K I N C .Notable Event Framework
incident_review_comment_lo
okup
incident_review_lookup
Other Apps
DA-ESS-ContentUpdate
(ES Content Updates)
SA-UEBA
user_realnames_lookup
notable_owners_lookup
DA-ESS-ThreatIntelligence
DA-ESS-NetworkProtection
DA-ESS-IdentityManagement
DA-ESS-EndpointProtection
DA-ESS-AccessProtection
Adaptive Response
Action
Incident
Management Data Model
/../savedsearches.conf
index=Notable
Enterprise Security
reviewstatuses_lookup
Other Actions
(Risk, Phantom,
Cisco)
SA-ThreatIntelligence
SA-NetworkProtection
SA-IdentityManagement
SA-EndpointProtection
SA-AuditAndDataProtection
SA-AccessProtection
correlationsearches_lookup
![Page 15: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/15.jpg)
© 2 0 1 9 S P L U N K I N C .
savedsearches.conf v. correlationsearches.conf
correlationsearches.conf was deprecated in ES4.6
confcheck_es_correlationmigration.py
Threat - Correlation Searches - Lookup Gen
All searches including correlation are found in savedsearches.conf• action.correlationsearch.enabled=1
![Page 16: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/16.jpg)
© 2 0 1 9 S P L U N K I N C .
disabled = 0realtime_schedule = 0
![Page 17: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/17.jpg)
© 2 0 1 9 S P L U N K I N C .
Guided Search Briefly
![Page 18: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/18.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 19: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/19.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 20: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/20.jpg)
© 2 0 1 9 S P L U N K I N C .
Content ManagementStatistics
![Page 21: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/21.jpg)
© 2 0 1 9 S P L U N K I N C .
Responses – Notables
![Page 22: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/22.jpg)
© 2 0 1 9 S P L U N K I N C .Notable Event Framework
incident_review_comment_lo
okup
incident_review_lookup
user_realnames_lookup
notable_owners_lookup
Incident
Management Data Model
index=Notable
Enterprise Security
reviewstatuses_lookup
correlationsearches_lookup
![Page 23: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/23.jpg)
© 2 0 1 9 S P L U N K I N C .
Incident Management Data Model
Events
• Notable Events (Metadata Only)
Searches
• Notable Events
• Suppressed Notable Events
• Incident Review
• Correlation Search Lookups– Correlation Searches
– Notable Owners
– Review Statuses
– Security Domains
– Urgencies
• Notable Event Suppressions
– Suppression Audit
– Expired Suppressions
– Suppression Eventtypes
![Page 24: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/24.jpg)
© 2 0 1 9 S P L U N K I N C .
index=notable| from datamodel:"Incident_Management.Notable_Events"
`notable`
![Page 25: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/25.jpg)
Incident Review| from datamodel:"Incident_Management.Incident_Review"
| `incident_review`
![Page 26: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/26.jpg)
© 2 0 1 9 S P L U N K I N C .
Incident Review
`notable`
|`incident_review`
![Page 27: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/27.jpg)
© 2 0 1 9 S P L U N K I N C .
Another ExampleDetect New Local Admin Account - Notable
<snip>
![Page 28: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/28.jpg)
© 2 0 1 9 S P L U N K I N C .
`notable`
|`incident_review`
![Page 29: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/29.jpg)
© 2 0 1 9 S P L U N K I N C .
Incident Review
![Page 30: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/30.jpg)
© 2 0 1 9 S P L U N K I N C .
Notable Event Framework
incident_review_comment_lo
okup
incident_review_lookup
user_realnames_lookup
notable_owners_lookup
Incident
Management Data Model
Incident Review
/../savedsearches.conf
Enterprise Security
reviewstatuses_lookup
correlationsearches_lookup
log_review.conf
![Page 31: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/31.jpg)
© 2 0 1 9 S P L U N K I N C .
Urgency Calculation
![Page 32: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/32.jpg)
© 2 0 1 9 S P L U N K I N C .
Customizing Incident Review - log_review.conf
![Page 33: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/33.jpg)
© 2 0 1 9 S P L U N K I N C .
Customizing Incident ReviewConfig -> Incident Management -> Incident Review Settings
![Page 34: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/34.jpg)
© 2 0 1 9 S P L U N K I N C .
Adding Fields to Incident Review
![Page 35: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/35.jpg)
© 2 0 1 9 S P L U N K I N C .
Correlation Search ExampleProcess Execution via WMI
![Page 36: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/36.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 37: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/37.jpg)
© 2 0 1 9 S P L U N K I N C .
Notable Event SuppressionIncident Review & Configure -> Notable Event Suppressions
![Page 38: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/38.jpg)
© 2 0 1 9 S P L U N K I N C .
Notable Event Suppression
![Page 39: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/39.jpg)
© 2 0 1 9 S P L U N K I N C .
Event Sequencing and Audit
![Page 40: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/40.jpg)
© 2 0 1 9 S P L U N K I N C .
Event Sequencing
Group correlation searches into batches of events, either in a specific sequence, by specific attributes, or both
The Event Sequencing Engine runs as a indexed real-time search and listens for incoming notable events and risk modifiers that are triggered by correlation searches
Stored in the sequence_templates.conf file
![Page 41: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/41.jpg)
© 2 0 1 9 S P L U N K I N C .
Initial Configuration
Requires the edit_sequence_template capability
• ES assigns the capability to the ess_admin role
![Page 42: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/42.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 43: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/43.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 44: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/44.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 45: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/45.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 46: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/46.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 47: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/47.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 48: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/48.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 49: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/49.jpg)
© 2 0 1 9 S P L U N K I N C .
![Page 50: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/50.jpg)
© 2 0 1 9 S P L U N K I N C .
Testing Your Event Templates`execute_sequence_template(template_name, false)`
![Page 51: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/51.jpg)
© 2 0 1 9 S P L U N K I N C .
Incident Review Audit
![Page 52: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/52.jpg)
© 2 0 1 9 S P L U N K I N C .
Suppression Audit
![Page 53: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/53.jpg)
© 2 0 1 9 S P L U N K I N C .
Notable Event Framework
incident_review_comment_lo
okup
incident_review_lookup
Other Apps
DA-ESS-ContentUpdate
(ES Content Updates)
SA-UEBA
user_realnames_lookup
notable_owners_lookup
DA-ESS-ThreatIntelligence
DA-ESS-NetworkProtection
DA-ESS-IdentityManagement
DA-ESS-EndpointProtection
DA-ESS-AccessProtection
Adaptive Response
Action
Incident
Management Data Model
Incident Review
/../savedsearches.conf
index=Notable
Enterprise Security
reviewstatuses_lookup
Other Actions
(Risk, Phantom,
Cisco)
SA-ThreatIntelligence
SA-NetworkProtection
SA-IdentityManagement
SA-EndpointProtection
SA-AuditAndDataProtection
SA-AccessProtection
correlationsearches_lookup
log_review.conf
![Page 54: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/54.jpg)
© 2 0 1 9 S P L U N K I N C .
Helpful Links
Splunk Security Essentials – More Ideas for Correlation Searches• https://splunkbase.splunk.com/app/3435/
ES Content Update• https://splunkbase.splunk.com/app/3449/
Tutorial – Create a Correlation Search• https://docs.splunk.com/Documentation/ES/5.3.1/Tutorials/CorrelationSearch
Incident Management/Notable Event Framework• http://dev.splunk.com/view/enterprise-security/SP-CAAAFA9
Enhancing Incident Review• http://www.georgestarcher.com/splunk-enterprise-security-enhancing-incident-review/
Upgrades after 4.5 – Saved Search v Correlation Search• https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Upgradecorrelationsearches
Modifying the Incident Review Page• https://www.splunk.com/blog/2019/02/15/modifying-the-incident-review-page.html
![Page 55: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/55.jpg)
© 2 0 1 9 S P L U N K I N C .
1. Incident Management Framework drives Notable Events
2. Good Deal of Flexibility to Handle How You Deal with Different Notables and What The Analyst Sees
3. Ensure your notables are high fidelity before leveraging event sequencing
4. Suppression provides a trackable method to handle noisy notables but action is required!
Closing Thoughts
![Page 56: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/56.jpg)
RATE THIS SESSION
Go to the .conf19 mobile app to
© 2 0 1 9 S P L U N K I N C .
You!
Thank
![Page 57: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/57.jpg)
© 2 0 1 9 S P L U N K I N C .
Appendix
Correlation Search Mapping to .conf file
![Page 58: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/58.jpg)
© 2 0 1 9 S P L U N K I N C .
action.correlationsearch.label
request.ui_dispatch_app
description
search
![Page 59: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/59.jpg)
© 2 0 1 9 S P L U N K I N C .
action.escu = 0action.escu.enabled = 1action.escu.creation_date = 2018-03-26action.escu.modification_date = 2018-03-26action.escu.asset_at_risk = Windowsaction.escu.channel = ESCUaction.escu.confidence = mediumaction.escu.eli5 = This search looks for Windows Event Code 4720 (account creation) and 4732 (account added to a security-enabled <snip>action.escu.how_to_implement = You must be ingesting Windows Security logs. You must also enable the account change auditing <snip>action.escu.full_search_name = ESCU - Detect New Local Admin accountaction.escu.mappings = {"mitre_attack": ["Valid Accounts", "Defense Evasion", "Persistence"], "kill_chain_phases": ["Actions on Objectives", "Command and Control"], "cis20": ["CIS 16"], "nist": ["PR.AC", "DE.CM"]}action.escu.known_false_positives = The activity may be legitimate. <snip>action.escu.search_type = detectionaction.escu.providing_technologies = ["Microsoft Windows"]action.escu.analytic_story = ["DHS Report TA18-074A"]
![Page 60: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/60.jpg)
© 2 0 1 9 S P L U N K I N C .
dispatch.earliest_time = -1440m@m
dispatch.latest_time = -5m@m
cron_schedule = 0 9 * * *
schedule_window = auto
schedule_priority = higher
![Page 61: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/61.jpg)
© 2 0 1 9 S P L U N K I N C .
counttype = number of eventsrelation = greater thanquantity = 0
alert.suppress = 1alert.suppress.period = 86400s
alert.suppress.fields = user
action.notable = 1action.makestreams.param.verbose = 0action.nbtstat.param.verbose = 0action.notable.param.verbose = 0action.nslookup.param.verbose = 0action.ping.param.verbose = 0action.send2uba.param.verbose = 0action.threat_add.param.verbose = 0
![Page 62: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/62.jpg)
© 2 0 1 9 S P L U N K I N C .
action.risk = 1action.risk.param._risk_score = 40action.risk.param._risk_object = useraction.risk.param._risk_object_type = systemaction.risk.param.verbose = 0
![Page 63: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/63.jpg)
© 2 0 1 9 S P L U N K I N C .
action.notable.param.rule_title = New local admin account $user$ created by $src_user$.
action.notable.param.rule_description = The new user account $user$ was created on $dest$ by $src_user$.
action.notable.param.security_domain = access
action.notable.param.severity = medium
action.notable.param.default_owner = abluebird
action.notable.param.default_status = 2
![Page 64: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/64.jpg)
© 2 0 1 9 S P L U N K I N C .action.notable.param.drilldown_name = View All Local Admin Accounts
action.notable.param.drilldown_search = sourcetype=wineventlog:security (EventCode=4732 Group_Name= Administrators) | table _time user dest EventCode Security_ID Group_Name src_user Message
action.notable.param.drilldown_earliest_offset = 86400action.notable.param.drilldown_latest_offset = 21600
action.notable.param.investigation_profiles = {"profile://Admin Issues":{}}
action.notable.param.extract_assets = ["src","dest","dvc","orig_host"]
action.notable.param.extract_identities = ["src_user","user"]
![Page 65: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/65.jpg)
© 2 0 1 9 S P L U N K I N C .
action.notable.param.next_steps = {"version":1,"data":"Recommended following steps:\n\n1. [[action|escu_contextualize]]: Based on ESCU context gathering recommendationsect:\n -ESCU - Get Authentication Logs For Endpoint\n <snip>
action.notable.param.recommended_actions = escu_contextualize,escu_investigate,runphantomplaybook
![Page 66: Enterprise Security Biology III - SplunkConf · user_realnames_lookup notable_owners_lookup. DA-ESS-ThreatIntelligence DA-ESS-NetworkProtection DA-ESS-IdentityManagement DA-ESS-EndpointProtection](https://reader034.vdocuments.net/reader034/viewer/2022042220/5ec660c55ba11250ea75d28e/html5/thumbnails/66.jpg)
© 2 0 1 9 S P L U N K I N C .
action.notable.param.next_steps = {"version":1,"data":"Recommended following steps:\n\n1. [[action|escu_contextualize]]: Based on ESCU context gathering recommendationsect:\n <snip> - ESCU - Get Risk Modifiers For User\n - ESCU - Get User Information from Identity Table\n\n2. [[action|escu_investigate]]: Based on ESCU investigate recommendations:\n - ESCU -Get Parent Process Info\n - ESCU - Get Process Info\n"}