Splunk AdminES - Slides
Splunk AdminES - Slides
• Configure ES lookups
• Configure the different ES frameworks
including Assets & Identities and Threat Intelligence
Administering Splunk Enterprise Security
turn data into doing™ 5 Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Course Outline
1. Introduction to ES 7. Validating ES Data
2. Security Monitoring 8. Custom Add-ons
3. Risk-Based Alerting 9. Tuning Correlation Searches
4. Incident Investigation 10. Creating Correlation Searches
5. Installation 11. Asset & Identity Management
6. Initial Configuration 12. Threat Intelligence Framework
Appendix A: Analyst Tools & Dashboards
Appendix B: Use Case Library
Appendix C: Event Sequencing Engine
Appendix D: ES On-prem Deployment
Appendix E: Using ES Overview
Administering Splunk Enterprise Security
turn data into doing™ 6 Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 1:
Introduction to
Enterprise Security
Vulnerability Scanners
(port scanning, testing
Firewalls/Proxies Intrusion Detection System
vulnerabilities)
• cisco-pix (packet sniffing)
• mcafee
• pa-networks • snort
• nessus
• juniper-networks • dragon-ids
• bluecoat • mcafee
Production Servers
(any operating system)
Network Capture
(Stream) • microsoft-av
• stream:tcp • linux-secure
• stream:udp • windows:*
• stream:http Splunk ES • access-combined
(events, data models)
Remove KI
from display
Select KIs to add and
click Add Indicators
Investigation bar
Click to add a
New status
End Status designates the label is the
final stage of notable examination
Enable or Disable a
Select a status from the
label from displaying in
Label column to edit
Incident Review
Important!
The new attribute will only display for
notable events containing the field
referenced here. In this case, the
eventtype field.
docs.splunk.com/Documentation/ES/latest/Admin/Embeddedworkbench
Administering Splunk Enterprise Security
turn data into doing™ 47 Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Using Workflow Actions
From the Destination field Action menu, select
the <dest name> Installed OS link
Drill-down on any
dashboard value to view
the search and results
Create risk rules to create risk Enrich risk attributions by When an entity’s risk score or
attributions for entities when appending relevant context behavioral pattern meets the
something suspicious happens. like a risk score or a MITRE predetermined threshold, a
Instead of triggering an alert, ATT&CK technique notable event is triggered
risk attributions are sent to the
risk index
Expand for
details
Add a message
Ability to manage
Risk Factors
Time range
Tabs
1
Select
Artifact(s)
Context Panels Endpoint Data Panels Network Data Panels Risk Panels
• Risk Scores • File System Changes • Web Activity • Risk Scores
• IDS Alerts • Registry Activity • Email Data • Recent Risk Modifiers
• Notable Events • Process Activity • Network Traffic Data • MITRE ATT&CK
Techniques
• System Vulnerabilities • Service Activity • DNS Data
• MITRE ATT&CK
• Latest OS Updates • User Account Changes • Certificate Activity
tactics
• Computer Inventory • Port Activity • Network Session Data
• Authentication Data
status is New
• Investigations can only
be deleted by admins
• Analysts can delete
investigation entries Edit the Title, Status, and
Description of the investigation
Click to add a
collaborator
• Example:
Create workbench tab named IDS / IPS Activity that displays detailed
information on panels focused on Cisco Sourcefire activity. The tab will
not display by default, analyst will have to add this content to the
investigation manually
docs.splunk.com/Documentation/ES/latest/Admin/Customizeinvestigations
Administering Splunk Enterprise Security
turn data into doing™ 91 Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Creating Workbench Panels
• Add pre-defined panels to be used in a new Investigation Workbench
tab
– Follow this process for each panel you want to display in the new tab
Configure > Content > Content Management
ES supported TA’s:
– Splunk Add-on for Blue Coat ProxySG – Splunk Add-on for RSA SecurID
– Splunk Add-on for Zeek (Bro) IDS – Splunk Add-on for Sophos
– Splunk Add-on for McAfee – Splunk Add-on for FireSIGHT
– Splunk Add-on for Juniper – Splunk Add-on for Symantec Endpoint Protection
– Splunk Add-on for Microsoft Windows – Splunk Add-on for Unix and Linux
– Splunk Add-on for Oracle Database – Splunk Add-on for Websense Content Gateway
– Splunk Add-on for OSSEC
Universal
Forwarders gather
Search Head(s)
operational and
ES app + all DAs, SAs
security data and
and TAs
send to indexers
or heavy
forwarders
1
Click Install app from file
Important!
Do not uninstall any of the default
apps which are part of the basic
Splunk package, as they are
required by ES.
2
Click Choose File and browse to
the ES .spl or .tar file
3
Click Upload
Note
If upgrading ES, select the Upgrade
app checkbox to install a new
version of ES but keep all
configurations.
4
Click Set up now
6
Before the setup starts,
choose to keep SSL enabled,
or turn off SSL for Splunk
8
When the process is
complete, Restart Splunk
Production Servers
with forwarders and
Stream add-on
Capture network data and
forward to indexers
Splunk ES Indexers
With Stream app Store captured
Execute and stream data
display search
results Captured data does not include
message content unless
specifically configured
Note
The view list scrolls—there are many to pick from.
Click to edit
Acceleration
Inputs
TA_ForIndexers
DM
Data Models
HPAS
DA+SA+ ES app
Storage
Index
TA apps
Technology Dashboards
Add-on Unaccelerated DM
Inputs
_raw searches
• Each data model defines a standard set of field names for events
that share a logical context, such as:
– Malware: anti-virus logs
– Performance: OS metrics like CPU and memory usage
– Authentication: log-on and authorization events
– Network Traffic: network activity
Example: one sourcetype has events with an ACCESS field, containing numeric
codes like 0 (access allowed) and 1 (access denied). Another sourcetype has an
Action field, with values “allowed” and “denied”. After normalization, both source
types will have the action field with the same values (success or failure), making it
easier to build reports
3. The Network Traffic data model does not contain events with the
cisco:asa source type
– This
is because the events are not being tagged with the network and
communicate tags, and the fields are not being aliased to the proper
names required in the data model
https://docs.splunk.com/Documentation/CIM/latest/User/NetworkTraffic
Summarized by index
(main, threat_activity, etc.)
original source fields missing signature Use eval to create default value
SSID unused regex to mask all but last 4 digits
• Determine if normalization status action Use eval to translate source
numeric codes to CIM terms
is required for each ... ...
field’s name and value
Note
The Add-on Builder can do a lot of
things, but for CIM normalization you
only need to add sample data and the
CIM mapping function.
3
Select a
source field 4
Select a
5
Click OK target field
Note
The source event type or expression field can be an
eval statement (to transform the source value to
the CIM required format).
1 2
Select validations to apply Click to start
validation
http://docs.splunk.com/Documentation/ES/latest/Admin/Expandcontentmanagementsearches
Administering Splunk Enterprise Security
turn data into doing™ 196 Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Enabling Correlation Searches
• Only enable correlation searches that make sense for
your environment
• Consider:
– Types of vulnerabilities or threats you have determined might exist
– Type of security operations you are focused on, i.e., malware, intrusion
detection, audit, change monitoring, etc.
– You may need to increase hardware specs if you have many correlation
searches running
– You can improve overall performance by making less critical correlation
searches scheduled instead of real-time
– model
Name of the model for applying data
and comparing against standards to
find outliers. For example:
app:failures_by_src_count_1h
– Qualitative_id
Default IDs that correspond to percentages of deviation, representing where on the
distribution curve to look for outliers. For example: high, medium, low
– field
Where to search for or count outliers, such as failure
Note
Each time Response Actions are
modified, you must update the
Splunk_TA_AROnPrem app.
Note
DA-ESS is a recommended
prefix for content add-ons but is
not required.
• Prior to 6.2 assets and identities were only defined in lookup tables
• Using the KV Store allows for larger tables for assets and identities
• Lookups are defined in SA-IdentityManagement transforms.conf
[asset_lookup_by_cidr]
external_type = kvstore
match_type = CIDR(asset) Example lookup configuration
collection = assets_by_cidr
fields_list =
_delete,_key,_last_updated,_sources,asset,asset_tag,bunit,category,city,country,dns,ip,is_expected,lat,
long,mac,nt_host,owner,pci_domain,priority,requires_av,should_timesync,should_update max_matches = 1
case_sensitive_match = false
filter = NOT _delete="true"
Click an added
lookup configuration
to edit or delete it
Note
The default configurations demo_assets
and static_assets cannot be removed
– Tag
– Multivalue
– Multivalue Limit
– By default, the three host1 entries defined by the nt_hosts field are merged
into one asset and the two host2 entries are merged into another
– With merge disabled, the collection remains the same as the source file
– When you do a lookup on a non-merged collection, there is no context for how
to resolve the overlapping key field values
• For example, the asset_lookup_by_str lookup in transforms.conf has
max_matches=1, so the first host it matches in the assets_by_str
collection is the only one you will see in the search results
Administering Splunk Enterprise Security
turn data into doing™ 254 Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Enable Zones
• Create Zones for entries that overlap, like IP addresses
– For example, two companies are merging who use the same IP address scheme.
Assign all entries with a location of palo_alto to a zone called flowmill, and
entries with a location of boulder to a zone called victorops
Note
Typically, this should not need to
be changed from the default:
”Enable for all sourcetypes”.
• ES uses the above order to make its first match, then checks CIDR-
based matches for IP addresses
Interval of how often to download the information Ignoring regex: by default, ignores blank
lines and lines beginning with #
Max age for KV Store retention (default 30 days) Fields: comma separated list of fields in the
data (defaults to description and ip)
Remote site user and realm: only if the threat feed requires authentication.
Must be configured in Splunk Credential Management
Expand a Source to
see the threat match
configuration
Panels:
• Threat activity over time by threat collection
• Most active threat collections and sources
• Threat activity detail
3
Choose to either filter
out or highlight the
events
4
2
Click Per-panel Filter
1
Select one or more events
Bookmark stories
specific to your duties
Correlation
Searches
• Templates run as a real-time searches and listen for incoming notable events
and risk modifiers that are triggered by the correlation searches
Administering Splunk Enterprise Security
turn data into doing™ 341 Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Scenario
Give the template a
Create a template to detect high name and description,
and select the ES app.
priority hosts with multiple malware
infections, excluding test host
ACME-004. Then, detect if the host
has an abnormally high number of
HTTP method events, excluding
any “unknown” methods
2
Set the starting correlation search to
Endpoint – High Or Critical Priority Host With
Malware. Set the expression to detect all
destinations (dest) except ACME-004.
https://docs.splunk.com/Documentation/ES/latest/Admin/Sequencecorrelationsearches
Administering Splunk Enterprise Security
turn data into doing™ 342 Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Scenario (cont.)
3 4 Set the ending correlation search to Web – Abnormally High
Add the transitional correlation search Endpoint – Number of HTTP Method Events By Src, and the expression
Host With Multiple Infections with the expression to
to detect all methods except unknown. Also, set the time
detect all destinations (dest) except ACME-004. limit for the template to run to 60 days.
2
The details for the
KI opens in Incident
Review
1
Click an item to open the related notable
events in the Incident Review dashboard
2
From the Incident Review dashboard:
a. Drilldown into notables’ details
b. Take ownership
c. Work the issue
Investigation bar
Note
You cannot expand an event until the
search is complete. Not all incidents
have all the same detail items.
1
Click Create Short ID for ES to
automatically generate a short ID that
makes it easier to find and share a
notable event
2
The Short ID replaces
the Create Short ID link
2
In addition to creating a Short ID, this enables sharing the event via a link:
• Click the Bookmark button to copy the link for sharing
or
• Click and drag the Bookmark button to your Bookmarks bar to save the link
1
Select Associations from the Time or
Associations menu, and Short ID from
the Associations menu 2
Click inside the filter field and
enter all or part of a Short ID
(drop-down appears and filters as you type)
Or
Click and scroll to the Short ID
Note
You can search for one or
multiple Short IDs.
3
Click Submit
4
Click Save changes
As needed, click the + icon on the
Investigation Bar to view an investigation,
add a new one, or click the spy glass to
perform a quick search
Investigation Bar
1
Select View all review activity for this Tip
Notable Event to open a new
The `incident_review` macro can
search showing all “review” events
for the current issue be used in custom searches and
reports for incident status tracking by
directly accessing the KV Store
2
4
Max Results: number of results for
the ping returns (default is 1)
Note
6 Find your action in the notable
If there is an investigation selected in the
event’s list of Adaptive Responses
Investigation Bar, Adaptive Responses will
and click Ping to view the results
display an Action column with the option to add
the response to the current investigation.
Threat Collection to
2
add the threat artifact
to (i.e. ip_intel)
Note
UBA must be installed on the ES
search head for this Response Action
to be available.
Time Range
Action Menu
1
When exploring, click a value
to add it as an artifact
2
Enter details and click
Add to Scope
Investigation Bar
Note
If you create a standard note, and do 3
Enter comments
not check the Show on Timeline box,
the note will show under Notes as a
“draft” note.
4
Add attachments (text or binary
1
Click to view notes format). 4MB max per file and 5
are stored in KV Store.
5
Select items
6
2
Click an item to add it
as an artifact
3 Enter a type,
description and
label as needed
View
details
Edit or delete entries or open in
Incident Review
2
Enter new title and Save
Toggle the
Investigation
Timeline
Investigation
Timeline Zoom Entries
Jump to start