Professional Documents
Culture Documents
Enabled SOC - SIEM Use Cases (PDFDrive)
Enabled SOC - SIEM Use Cases (PDFDrive)
The
Analy<cs-‐Enabled
SOC
>
SIEM
Use
Cases
Fred
Wilmot
(CISSP)
Director,
Global
Security
Prac<ce
Sanford
Owings
Principle
Consultant,
Splunk
Services
Disclaimer
During
the
course
of
this
presenta<on,
we
may
make
forward
looking
statements
regarding
future
events
or
the
expected
performance
of
the
company.
We
cau<on
you
that
such
statements
reflect
our
current
expecta<ons
and
es<mates
based
on
factors
currently
known
to
us
and
that
actual
events
or
results
could
differ
materially.
For
important
factors
that
may
cause
actual
results
to
differ
from
those
contained
in
our
forward-‐looking
statements,
please
review
our
filings
with
the
SEC.
The
forward-‐looking
statements
made
in
the
this
presenta<on
are
being
made
as
of
the
<me
and
date
of
its
live
presenta<on.
If
reviewed
aVer
its
live
presenta<on,
this
presenta<on
may
not
contain
current
or
accurate
informa<on.
We
do
not
assume
any
obliga<on
to
update
any
forward
looking
statements
we
may
make.
In
addi<on,
any
informa<on
about
our
roadmap
outlines
our
general
product
direc<on
and
is
subject
to
change
at
any
<me
without
no<ce.
It
is
for
informa<onal
purposes
only
and
shall
not,
be
incorporated
into
any
contract
or
other
commitment.
Splunk
undertakes
no
obliga<on
either
to
develop
the
features
or
func<onality
described
or
to
include
any
such
feature
or
func<onality
in
a
future
release.
2
Fred
Wilmot
|
Director,
Global
Security
Prac<ce
(fred|Securityczar)@splunk.com
• Strategy
§ Drives
Security
Prac<ce
Strategy
globally
§ Works
on
Splunk’s
hardest
Security
Use
Cases
§ Visualiza<on
and
Analy<cs
using
Splunk
§ Solves
strategic
product/implementa<on
challenges
• Research
Minister
of
Silly
Walks
• Digital
Forensics
/Assessment
Tools
“Electric
Mayhem”
@fewdisc
• Social
Risk/User
behavior
modeling
• ML/Advanced
Sta<s<cal
Analysis
• Threat
Intelligence
• Product
§ Influence
product
strategy
for
security
content
and
features
in
the
field
and
through
the
factory.
3
Sanford
Owings|
Principal
Consultant,
Splunk
Services
sowings@splunk.com
Sanford
Owings
(Sowings)
began
his
compu<ng
career
in
1990
in
a
word
processing
lab
with
network
administra<on
on
PCs
and
various
flavors
of
Unix.
A
computer
science
educa<on
at
Berkeley
(with
more
system
and
network
administra<on
thrown
in)
showed
him
the
light
twenty
years
later.
sowings
Sanford
began
using
Splunk
in
early
2010,
working
to
integrate
it
as
an
(muppet
disguise)
OEM
repor<ng
solu<on
into
an
email
appliance.
Since
March
2012,
he
has
worked
as
a
member
of
the
Professional
Services
team
at
Splunk,
leveraging
his
development
background
while
assis<ng
customers.
In
his
free
<me,
he
enjoys
spending
<me
with
his
wife
Erin,
cooking,
cycling
and
traveling.
4
Agenda
" Why
do
we
use
SIEMs?
" How
to
Achieve
these
‘SIEM’
use
cases?
" Security
Maturity
Model:
How
do
I
get
there?
" Where
do
we
Start?
" Ques<ons?
" Appendix
5
Why
do
we
use
SIEMS?
Not
Really…
But
we
may
feel
that
way
because
we
don’t
really
know
what
problem
we
are
solving,
we
don’t
have
the
right
people,
or
process
to
leverage
our
technology.
Lack
of
internal
knowledge
leads
to
external
guidance…
Gartner
SIEM
MQ
2014
AccelOps
“…the
rise
in
successful
Product/Service Rating
targeted
a/acks
has
caused
a
growing
number
of
Real-Time Monitoring 3.50 3
2013
organiza<ons
to
use
SIEM
for
threat
management
to
Threat Intelligence 3.00 3
improve
security
monitoring
and
early
breach
detec<on”
Behavior Profiling 2.50 3
2012
Data and User Monitoring 2.97 2
8
What
capabili<es
are
you
looking
for
from
SIEM?
9
Why
Splunk
Compared
to
SIEM
Legacy
SIEM
Splunk
10
Be
Pragma<c,
not
Dogma<c.
Be
prepared
to
challenge
your
asser<ons
if
you
want
to
mature
your
opera<ons
11
Top
Five
Splunk
Security
Use
Cases
More
than
a
SIEM;
a
Security
Intelligence
Pla5orm
Real-‐<me
Real-‐<me
Incident
Security
&
Monitoring
of
Monitoring
of
Inves<ga<ons
Compliance
Fraud
detec<on
Known
Unknown
&
Forensics
Repor<ng
Threats
Threats
12
Moving
Past
SIEM
to
Security
Intelligence
15
A
Methodology
for
Analy<cs-‐Enabled
SOC:
Map
the
Business
to
the
Threat
Model
What
does
the
business
care
about?
• Market
Sen<ment?
• Fraud?
• Denial
of
Service?
• Intellectual
property
theV?
• Sensi<ve
data/customer
data
leak?
• Brand
reputa<on?
• Industrial
sabotage?
• Corporate
espionage?
16
A
Methodology
for
Analy<cs-‐Enabled
SOC:
Construct
a
Hypothesis
• How
could
someone
gain
access
to
data
that
should
be
kept
private?
• What
could
cause
a
mass
system
outage
does
the
business
care
about?
• How
could
we
find
exfiltra<on
of
sensi<ve
informa<on
if
it
was
happening?
17
A
Methodology
for
Analy<cs-‐Enabled
SOC:
It’s
about
the
Data
• What
visibility
do
we
need?
• For
data
exfiltra<on,
start
with
URLs.
• DNS
requests,
proxy
logs,
web
logs,
mail
logs
• Beg,
borrow,
and
steal
SME
exper<se
from
system
owners
18
A
Methodology
for
Analy<cs-‐Enabled
SOC:
Data
Evalua<on
• For
data
exfiltra<on,
start
with
what’s
normal
and
what’s
not
(create
a
sta<s<cal
model)
• How
do
we
‘normally’
behave?
• What
paoerns
would
we
see
to
iden<fy
outliers?
• Look
for
other
paoerns
based
on
uniqueness,
frequency,
periodicity,
volume,
dura<on,
newness,
dura<on,
locality,
etc.
19
Spoiler
Alert!
DNS
Exfiltra<on
Indicators
• 1)
Look
@
all
DNS
traffic
for
mul<ple
levels
of
DNS
strings.
look
for
hexadecimal
strings.
• 2)
Look
for
this
3rd
level
to
be
less
than
40
bytes
in
length...
like
*.domain.com,
where
*
is
longer
than
40
bytes
• 3)
Look
for
mul<ple
DNS
Name
lookups
to
sketchy
foreign
domains,
and
look
at
the
frequency
in
a
short
<me
span.
• 4)
DNS
TXT
or
SRV
record
queries
to
any
foreign
or
high
entropy
domains
• 5)
ANY
DNS
response
to
a
loopback
or
RFC
1918
space/bogon
space.
(5.0.0.0/8,
10.0.0.0/8,
192.168.0.0/16,
172.16.0.0/12)
could
indicate
a
C2
channel
• 6)
Look
for
mul<ple
DNS
queries
to
the
same
non-‐obvious
or
foreign
domain
during
off-‐hours
<mes
in
the
office
=
check
for
frequency,
and
periodicity.
• 7)
DNS
queries
to
dynamic
DNS
providers
(like
OpenDNS)
• 8)
DNS
queries
not
followed
by
a
proxy
request
for
connec<on
• 9)
Iden<fy
recurring
interval
or
beaconing
following
any
of
the
above
(zero
variance
behavior)
• 10)
Look
for
Teredo
IPv6
addresses
• 11)
Look
for
large
TXT
or
NULL
payloads
(tunneling),
and
TXT
that
isn’t
7-‐bith
clean
• 12)
Look
for
CNAME
chains
if
they
resolve
internally
• 13)
look
for
changes
in
authorita<ve
name
servers
and
their
IP
addresses
as
well.
20
A
Methodology
for
Analy<cs-‐Enabled
SOC:
Analysis
+
context
• Increase
in
business
communica<ons
overseas?
• Does
your
sta<s<cal
model
need
to
change
due
change,
business
growth,
or
volume
of
data?
• Implemented
a
new
service
or
applica<on?
• Added
employees
overseas?
• Enriching/synthesizing
outliers
with
visualiza<ons?
21
Need
to
Connect
the
“Data-‐dots”
to
See
the
Whole
Story
Delivery,
exploit
Gain
trusted
Upgrade
(escalate)
Data
Gathering
ExfiltraRon
Persist,
Repeat
Persist,
Repeat
installaRon
access
Lateral
movement
Aoacker, know relay/C2 sites, infected sites, IOC, Subscrip<on feeds Internal black lists
LDAP,
Access
level,
privileged
users,
likelihood
of
infec<on,
Ac<ve
Directory,
Asset
databases
where
they
might
be
in
kill
chain
Authen<ca<on,
CMBD,
…
Auth
-‐
User
Roles,
SSO
inventory,
Corp
Context
22
Methodology
Par<ng
Thoughts
Security
Intelligence
requires
tradiRonal
IT
data
sources,
not
just
security
technology.
25
Honest
Ques<ons,
Honest
Answers
" What
is
the
talent
level
of
my
(Security)
team?
" Do I have exis<ng mature skill sets I can leverage/need to keep?
" Am
I
building
a
Security
Organiza<on
for
Hun<ng
and
Advanced
Threats,
or
doing
what
I
can
with
the
team/resources
I
have?
" Can I be successful implemen<ng new processes around this methodology?
26
How
Do
I
Determine
My
Maturity
Level?
Pre-‐Engagement
Posture
Discussion
" What
is
your
current
SecOps
model?
– Insourced/outsourced/hybrid?
– Incident
Response
plan?
BIA?
– what
do
you
when
you
find
something
significant?
27
How
Do
I
Determine
My
Maturity
Level?
(cont’d)
Content
Strategy
– Data
Acquisi<on
mapped
to
threats/use
cases
– Response
by:
Alerts/repor<ng/integra<on
– Manifest
process
and
methodology
into
technology
– “How
will
I
implement
my
playbook?”
Post-‐Engagement
EvaluaRon
– Does
the
work
we
did,
translate
to
reducing
business
Risk?
– Is
it
measurable?
– Does
it
enable
Security
team
to
iterate
and
automate?
– Does
it
move
the
organiza<on
up
the
Security
Maturity
Model?
28
Talent
Capability
Model
Scale
29
Cyber
Opera<ons
Model
Forensics
and
Incident
Audit
Incident
Applica<on
Root
Cause
Response
Repor<ng
and
Handling
Security
Design
Analysis
Process
Assessment
Monitor
Fraud
and
Secure
Coding
&
Network
Security
Collabora<on
Technologies
TheV
Analysis
Development
Security
Design
Itera<on
Counter
Malware
Behavioral
Vulnerability
Intelligence
Analysis
Analysis
Automa<on
Remedia<on
Threat
Cyber
Network
Threat
Cyber
Network
Modeling
Defense
Intelligence
Offense
REACTIVE PROACTIVE
30
Cyber
Opera<ons
Model
AutomaRon
IteraRon
Machine-‐<me
response
Threat
Modeling,
Triage
using
machine
Intelligence
Gathering,
data
and
context
Research,
hun<ng
CollaboraRon
In
order
to
gain
a
CollaboraRon
Communica<on
Incident
Response
complete
view
of
OperaRonal
Security,
Automa<on
Forensic
analysis
we
need
to
see
the
Operate
on
machine
Itera<on
data
and
Threat
iteraRon
of
Counter
Intelligence
Intelligence
in
Monitoring
Incident
Response
31
Security
Intelligence
combines
methodology,
technology,
collabora<on
as
context
for
smarter
security
decisions
32
Where
do
we
start?
Integra<on
Examples
Maturity
Model
Type
Integra<ons
1) I
have
no
visibility
into
my
data,
and
I
need
to
operate
on
that
data
2) I
have
a
SIEM,
it
doesn’t
do
what
I
want.
I
need
to
augment
with
visibility
and
context
3) I
have
visibility,
and
context,
I
need
threat
intelligence
and
workflow
and
integra<on
4) I
don’t
have
a
SIEM,
but
I
also
don’t
have
any
resources
to
do
that
Lets
look
at
an
MSSP
that
supports
your
threat
profile
Applica<on
Performance
Monitoring,
Security
Analysts
35
Applica<on
Performance
Monitoring,
•
workflow
opRons
for
Splunk-‐to-‐ESM
data
flow:
Logger
Using
Splunk
Forwarders
for
na<ve
log
consump<on
3. Splunk
alerts
to
ArcSight
ESM
via
SNMP
trap,
e-‐mail,
web
services
37
Applica<on
Performance
Monitoring,
38
Adding
Context
Faster/Beoer
Decisions
with
Context
Online
Services
Web
Ad
hoc
Monitor
Report
and
Custom
Developer
Services
search
and
alert
analyze
dashboards
Placorm
Security
GPS
Servers
Loca<on
Packaged
Applica<ons
Desktops
Networks
Real-‐Rme
Storage
Custom
Machine
Data
Messaging
Applica<ons
Telecoms
RFID
External
Lookups
Online
Energy
Shopping
Meters
References
–
Coded
fields,
mappings,
aliases
Cart
Databases
Dynamic
informaRon
–
Stored
in
non-‐tradi<onal
formats
Call
Detail
Web
Records
Environmental
context
–
Human
maintained
files,
documents
Clickstreams
System/applicaRon
–
Available
only
using
applica<on
request
Smartphones
and
Devices
Intelligence/analyRcs
–
Indicators,
anomaly,
research,
white/blacklist
AND
MORE…
40
Encoded
log
with
threat
and
asset
context
Asset
#
IP
Address
File
code
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for
2172618992@splunktel.com 10.164.232.181 from 12.130.60.5 recorded OK.!
2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 -
10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML,
Log
Code
like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!
Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for
2172618992@splunktel.com 10.164.232.181 from 12.130.60.5 recorded OK.!
41
Encoded
log
with
threat
and
asset
context
Asset
#
IP
Address
File
code
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for
2172618992@splunktel.com 10.164.232.181 from 12.130.60.5 recorded OK.!
2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 -
10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML,
Log
Code
like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!
Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for
2172618992@splunktel.com 10.164.232.181 from 12.130.60.5 recorded OK.!
✓
42
Encoded
log
with
threat
and
asset
context
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for
2172618992@splunktel.com 10.164.232.181 from 12.130.60.5 recorded OK.!
2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 -
10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML,
Log
like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!
Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for
2172618992@splunktel.com 10.164.232.181 from 12.130.60.5 recorded OK.!
43
Automate
Context:
IOC
lookups
-‐
Filename
44
Automate
Context:
IOC
lookups
-‐
CIDR
45
Adding
Intelligence
Internal
Threat
Intelligence
Context
for
Security
47
External
Threat
Intelligence
Consumable
Sources
• OSINT
(free
Sources)
• Palo
Alto
Wildfire
• Dell
SecureWorks
• Crowdstrike
• Verisign
iDefense
• AlienVault
OTX
• Symantec
Deepsight
• RecordedFuture
• McAfee
Threat
Intelligence
• Team
Cymru
• SANS/Whitelist/Blacklist
• ISACs
or
US-‐CERT
• CVEs
CWEs,
OSVDB
(Vulns)
• FireEye/Mandiant
• iSight
Partners
• Vorstack
• ThreatStream
• cyberUnited
• ATLAS
• ThreatGrid
• ThreatConnect
• ZeroFox
• Farsight
• Norse
CorporaRon
48
External
Threat
Intelligence
Integra<on
import
hoplib,
urllib
params
=
urllib.urlencode({'apikey':
'f6dbdee2dc8c6118933b90178657877cc2cede3023ce0eba4xxxxxxxxxxxxxxx',
'ip':
’46.229.160.7',
'method':
'ipview'})
#headers
=
{"Content-‐type":
"applica<on/x-‐www-‐form-‐urlencoded",
"Accept":
"text/plain"}
headers
=
{"Content-‐type":
"applica<on/x-‐www-‐form-‐urlencoded",
"Accept":
"applica<on/json"}
conn
=
hoplib.HTTPConnec<on("us.api.ipviking.com:80")
conn.request("POST",
"/api/",
params,
headers)
response
=
conn.getresponse()
print
response.status,
response.reason
data
=
response.read()
print(data)
Most
IntegraRons
are
APIs
or
Modular
Inputs
–
EASY!
conn.close()
49
External
Threat
Intelligence
50
51
Raw
IOC
Not
Easy
52
53
Context+Threat
Intelligence:TLD
against
GeoIP
How
would
I
find
all
the
URLs
by
their
Top
Level
Domain,
and
compare
them
with
their
geoloca<on
to
validate
they
are
legi<mate
on
a
map?
54
Matching
against
TLD
&
GeoIP
sourcetype=bluecoat
url=*
|
lookup
faup
url
|
fields
url_domain
url_tld
|
geoip
url_domain
|
eval
url_domain_country_code=lower(url_domain_country_code)
|
eval
tld_match=if(url_tld
==
url_domain_country_code,
"true",
"false")
#Run
FAUP
as
a
lookup
across
all
bluecoat
URLS
#generate
the
geoloca<on
telemetry
for
url_domain
#determine
if
the
url
country
code
is
=
to
the
TLD
Now,
show
me
on
the
map
where
they
are…
55
56
Ques<ons?
Some
Content
For
You
• Archer
Integra<on
Technology
add-‐on
template
• Scripts
for
<cket
system
aler<ng
59
Thank
you!
@SplunkSec
security@splunk.com
Appendix
• Provide
custom
arguments
to
Nmap
scan
in
addi<on
to
preset
scan
arguments
• Whitelist
to
exclude
sensi<ve
hosts
from
scans
• Block
specific
vulnerabili<es
scoring
on
a
host
specific
and
global
level
• Schedule
and
automate
database
updates
and
network
scans
based
on
your
network
needs
Summary
• Automate
vulnerability
database
aggrega<on
• Schedule
scans
and
database
updates
• Whitelist
machines
sensi<ve
to
scans
• Mul<ple
scan
intensity
op<ons
including
custom
arguments
for
VoIP,
printers,
and
other
sensi<ve
systems
• Integra<on
with
Enterprise
Security
assets
model
• Appends
fields
to
exis<ng
assets.csv
• Create
new
assets.csv
based
on
scan
• Calculated
Risk
priori<za<on
score
• Risk
%
=
Δ
Risk
Score
/
Gold
Standard
• Risk
Score
=
Σ
(CVSS
severity
/(Current
Year
–
Release
Year))
SIEM
Augmenta<on:
SplunkSight
Splunk
>
Arcsight
Delivering
Context
to
CEF
for
Analy<cs-‐driven
Security
OUTPUT
RAW
DATA
INDEXED
IN
TECHNOLOGY
COMMON
DATA
MODELS
SEARCH
SPLUNK
ADD-‐ONS
EVENT
FORMAT
OVER
TCP
75
Why
Splunk
app
for
CEF?
• For
many
data
sources,
dual
feeding
both
Arcsight
and
Splunk
,
the
same
events
is
not
feasible
• Splunk
App
for
CEF
enables
CEF-‐formaoed
output
based
on
search
results
in
Splunk
• Field
mappings
from
Splunk
CIM
to
Arcsight
CEF
make
configura<on
easy
76
Inside
SplunkSight
Use
Common
Informa<on
Model
and
pre-‐indexed
keys
OUTPUT
RAW
DATA
INDEXED
IN
TECHNOLOGY
COMMON
INDEX
PIPELINE
SPLUNK
ADD-‐ONS
EVENT
FORMAT
OVER
TCP
77
Why
SplunkSight?
• Scaling
your
CEF
output
structure
should
scale
with
Splunk
architecture
• SplunkSight
enables
CEF
formaoed
output
based
indexed
fields
in
Splunk
• SplunkSight
uses
TCPOUT
to
process
events
directly
on
each
indexer
• Index
and
sourcetype
filters
enable
flexibility
• Field
mappings
from
Splunk
CIM
to
Arcsight
CEF
make
configura<on
easy
78
Integra<on
Challenges
• Splunk
currently,
cannot
send
CEF
data
directly
to
Arcsight
ESM
at
scale,
or
index
<me.
• Logger
agents
tend
to
lose
data
in
transla<on
via
Snare
and
syslog
• Splunk
forwarders
are
not
distributed
across
the
en<re
infrastructure
to
capture
raw
windows
events
• Target’s
challenge
is
100%
visibility,
and
ubiquity
in
their
collec<on
environment
for
host
data
collec<on
• single
agent
to
feed
both
their
collec<on
and
correla<on
technology.
79
SplunkSight
Designed
to
be
Highly
scalable
• Located
on
each
Indexer
as
a
separate
socket-‐ized
process
• Mul<-‐threaded
process
to
deal
with
scale
• Operates
at
index-‐<me
as
opposed
to
search-‐<me
• Does
not
impact
the
parsing
or
indexing
queues
in
indexing
pipeline
• Does
not
directly
impact
search
behaviors
or
search
pipeline
performance
80
SplunkSight
Designed
to
be
easily
configurable
• Enable
mapping
from
CIM
to
CEF
in
a
.csv
file
• Designed
to
work
with
metadata
wrioen
at
index
<me
using
Technology
Add-‐on
framework
• Allows
Target
to
specify
specific
fields
to
consume
in
Splunk
for
consump<on
in
ESM
• Manageable
via
the
deployment
server
81
Current
Architecture
Challenge
ArcSight
Architecture
aoed
form
g
CEF
Syslo
82
Architecture
with
SplunkSight
Real-‐Rme
Machine
Data
SplunkSight
CEF
formaoed
83
How
it
Works
• Communica<on
from
forwarder
– We
configure
the
forwarder
to
send
data
to
the
Splunk
Indexer,
as
you
have
currently
deployed
Splunk
today.
– For
data
types
requiring
transforma<on
at
index
<me
(either
on
a
Heavy
Forwarder,
or
on
the
Indexer)
we
send
either
Cooked
or
Uncooked
data.
– The
indexer
listens
on
9997
as
usual,
receives
data
into
Splunk
and
consumes
it.
84
How
it
Works
• Communica<on
from
indexer
to
SplunkSight
– The
Splunk
Indexer
sends
via
outputs.conf,
data
to
SplunkSight,
which
lives
on
a
configurable
socket
on
the
indexer
(we
are
using
9996
as
example)
– We
are
sending
data
using
our
TCPOUT
op<on
in
our
proprietary
S2S
protocol,
which
allows
us
to
field
map,
and
transform
data
into
CEF
Output.
85
How
it
Works
• Sending
data
to
Arcsight
ESM
– Defined
in
splunksight.conf
Splunksight.conf
– Output
is
UDP
syslog
[daemon]
– SplunkSight
runs
as
a
service
and
includes
a
few
listen_ip
=
0.0.0.0
python
processes:
listen_port
=
9996
ê Process.py
log_file
=
/tmp/splunksight.log
ê Cefobjec<zer.py
pid_file
=
/tmp/splunksight.pid
ê Daemon.py
log_type
=
standard
ê U<ls.py
ê Read-‐conf.py
[syslog]
proto
=
udp
ê Splunksightsyslog.py
dest_ip
=
x.x.x.x
ê Splunksight.py
dest_port
=
514
86
How
it
Works
• Configuring
SplunkSight
Splunk_TA_Windows
– Requires
WRITE_META
=
true
for
Technology
add-‐ons
(This
creates
an
indexed
field),
fields
Transforms.conf
and
props
configura<on.
[Target_Server_Name_as_dest]
– Provide
mapping
of
CIM
(Splunk)
fields,
to
CEF
SOURCE_KEY
=
Target_Server_Name
(Arcsight)
fields
i.e.
default.csv
REGEX
=
([\\]+)?([^-‐].*)
WRITE_META
=
True
Default.csv
FORMAT
=
dest::"$2”
#cim,cef
dest,CEF_dest
Fields.conf
session_id,CEF_session_id
[dest]
dest_nt_host,CEF_dest_host
INDEXED
=
true
src_ip,src
dest_ip,dst
src_port,spt
87
How
it
Works
• Configuring
SplunkSight
Splunksight.conf
– Enables
filtering
based
on
Sourcetypes
and
indexes.
By
default,
we
remove
all
the
_*
[filters]
indexes
indexes_to_discard
=
_internal
_introspec<on
– Can
configure
whether
we
send
ALL
data,
_thefishbucket
_audit
_blocksignature
or
just
metadata
#sourcetypes_to_discard
=sourcetype::syslog
sourcetypes_to_discard
=sourcetype::sep::risk
88
CEF
Output
example
89
Workflow
Example:
Splunk
>
Archer
91
Splunk / Archer Integration Workflow - v1.0
START
Event Escalation Review Resolve Mark for
Review Notification Incident Incident Closure
1.0 3.1a 4.0 4.1 4.2
YES
NO
END
Create Incident Mgr Close
Escalated Archer Closed Closed
NO Event? YES Notification NO Incident? YES
Splunk
2.1 Record Event
2.2 3.2a 6.1
6.2
92
Ge{ng
Data
to
Archer
python
REST
API
interac<on
with
Splunk
API
for
gathering
things
like
asset
info,
vuln
data,
etc
pulled
from
the
metadata
‘Notable
Events’
correla<on
framework.
The
common
set
of
fields
in
the
correla<onsearches.conf
specifica<on
would
be
passed
to
archer,
driven
by
the
rule_id
security_domain
severity
rule_name
descripRon
rule_Rtle
rule_descripRon
drilldown_name
drilldown_search
default_status
default_owner
93
Ge{ng
Data
to
Archer
94
Ge{ng
Data
to
Archer
• Archer
fields
mapped
to
Splunk
Notable
Events
field
in
python
SOAP
script
• Splunk
generates
metadata
events,
and
‘Archer’
command,
sends
it
to
Archer
via
custom
search
in
Enterprise
Security.
• Workflow
ac<on
to
escalate
a
Notable
Event
to
Archer
directly
• Automated
Splunk
Search
of
the
'Notable
Events'
Macro
every
few
minutes
based
on
rule_id,
event_id
and
urgency
(for
aler<ng
if
desired)
Ge{ng
Data
to
Archer
Closing
a
Notable
Event
from
Archer
Archer
dashboard
object
or
ac<on
to
close
a
'Notable
Event'.
We
use
the
‘search’
REST
endpoint
to
allow
a
REST
call,
to
change
a
status
or
close
a
status.
This
hander
takes
some
input
and
writes
a
properly
forma/ed
line
of
CSV
to
incident_review.csv.
incident_review.csv's
header
contains
the
following
fields:
Rme
rule_id
Owner
Urgency
Status
Comment
user