Scribd
Upload
39 views21 pages

Leveraging Splunk in A Chaotic Data World

Uploaded by

Efi K.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views21 pages

Leveraging Splunk in A Chaotic Data World

Uploaded by

Efi K.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

© 2020 SPLUNK INC.

© 2020 SPLUNK INC.

Leveraging Splunk In
a Chaotic Data World

Efi Kaufman
Head of Big Data & Analytics, Cyber Security Center |
DELL Technologies @ Ministry of Energy - Israel

Chris Duffey
Global Energy Solutions Strategist | Splunk
Forward- During the course of this presentation, we may make forward‐looking statements regarding
future events or plans of the company. We caution you that such statements reflect our

Looking current expectations and estimates based on factors currently known to us and that actual
events or results may differ materially. The forward-looking statements made in the this

Statements presentation are being made as of the time and date of its live presentation. If reviewed after
its live presentation, it may not contain current or accurate information. We do not assume
any obligation to update any forward‐looking statements made herein.

In addition, any information about our roadmap outlines our general product direction and is
subject to change at any time without notice. It is for informational purposes only, and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation
either to develop the features or functionalities described or to include any such feature or
functionality in a future release.

Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States
and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved
© 2020 SPLUNK INC.

Efi Kaufman
Head of Big Data & Analytics | DELL Technologies @ Ministry of Energy - Israel
© 2020 SPLUNK INC.

After the Next ~15 Minutes…

You’ll walk away from this presentation with some idea and guidance about :
• How to handle in Splunk logs coming from other SIEMs
• How to “reverse engineer” the Splunk Add-on for Microsoft Windows
to make it work with “un-supported” logs.

Relayed
Windows Events
Events
Other
Follow the cat for additional resources and SIEMs Alerts
tips regarding the content of this presentation
© 2020 SPLUNK INC.

High Level Work Flow

Identify Identify data Test applicable Build or reuse Validate CIM


Source of
source sources TAs from TA Data Model
information
format/s (Win/network/etc.) Splunkbase

This is where you Identify the Identify the type of Look for TA on Build or Adjust Validate that the
start ! format/s : syslog, data sources : Splunkbase and TAs from data is mapped to
json, xml, CEF, Windows, linux, test to see if they Splunkbase or the CIM fields
A flood of data LEEF networking, are working with inhouse
from mixed security products the corresponding developed
sources and Use the fields that data sources
formats splunk was able to
identify to cut
through the
stream and the
field punct
(https://docs.splunk.com
/Splexicon:Punct)
© 2020 SPLUNK INC.

Technology Add-ons

A type of app that runs on the Splunk platform and provides specific
capabilities to other apps, such as getting data in, mapping data, or
providing saved searches and macros. An add-on is not typically run
as a standalone app. Instead, an add-on is a reusable component
that supports other apps across a number of different use cases.

• A collection of knowledge objects (eventtypes, tags, fields aliases, field extraction. Lookups)
that act on the data base on host, source or sourcetype.

Design tip: Think if you want to have separate TA-s per data source,
site, facility or any other grouping so that the TA changes will apply
correctly to the data sources.

TA-CEF TA-Tokyo splunkdocslinks.md


TA-LEEF TA-NYC
TA-SYSLOG TA-Moscow
TA-Shanghai
© 2020 SPLUNK INC.

Ideal Way to Load Data


so it will be compatible with TA-Win and CIM (looking at ES)

• Use Splunk Universal Forwarders (UF) with Splunk Add-on for Windows

OR

• Use Windows Event forwarding (WEF), which relies on native components


built into any Windows based client or server

If you don’t…you WILL run into trouble

LoadWinEventsToSplunk.md
© 2020 SPLUNK INC.

Example: Windows Event ID 4624 – Successful Logon


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Security-Auditing' Guid='{12345678-1234-1234-abcd-
123456789012}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12345
</Task><Opcode>0</Opcode><Keywords>0x0000000000000000</Keywords….</Event> Design tip: Consider using
heavy forwarders between
your (uncontrolled) data
{"name":"DefaultProfile","version":"1.0","isoTimeFormat":"yyyy-MM-
dd'T'HH:mm:ss.SSSZ","type":"Event","category":"4624","protocolID":"123",...} sources and your indexers.

CEF:0|Microsoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4624|An account was For some relevant and useful


successfully logged on.|Low| eventId=123456 externalId=4624 msg=Network…. props/conf configurations see :
hf_props_transforms_tips.md

Jan 1 08:00:00 192.168.0.1 2000-01-01T08:00:00.000+00:00 1.2.3.4 CEF:0|McAfee|ESM|1.2.3|


43-263046240|An account was successfully logged on|….

<13>Original Address=192.168.1.1 Jan 01 08:00:00 abcd123 AgentDevice=WindowsLog


AgentLogFile=Security Source=Microsoft-Windows-Security-Auditing
Computer=abcd123.abcd.LOCAL User= Domain= EventID=4624 EventIDCode=4624
EventType =8 EventCategory=12345

other_SIEMs_examples.md
© 2020 SPLUNK INC.

Decide What Will Be the Core Fields Set

• With regards to Windows event logs, most of the Design tip: You can do some
nice thing with calculated fields.
value will be achieved by extracting the following
fields:
see : calculated_fields_tips.md

src dest
src_ip dest_ip
src_nt_host dest_nt_host
src_nt_domain dest_nt_domain
src_user dest_user
© 2020 SPLUNK INC.

Reverse Engineering the TA-Win

• Identify Windows Security Event Logs


– Search for the logs:
Qradar : logsourceType=”Microsoft Windows Security Event Log”
Archsight: cef_product=”Microsoft Windows” cef_signature=”Microsoft-Windows-Security”
McAfee ESM: nitroAppID=”Microsoft-windows-security-auditing”

– Mark them with “aaa_wineventlog_security:*”

– in the TA_windows create a local [wineventlog_security]


search = eventtpye=“aaa_wineventlog_security*”

• Identify the event code field Design tip: The documentation for the
– Identify the fields
Splunk Add-on for Windows on
Qradar : EventID/category/EventIDCode docs.splunk.com contains a very useful
Archsight: ExternalID list of the lookups used in this TA
McAfeeESM: Extract signature_id from McAfee ESM : “\|43\-2630(?<signature_id>\d{4})0\|
– Create the appropriate knowledge object so you will get :
Windows event ID number in the field signature_id and aliased to EventCode
Windows event ID description in the field signature
© 2020 SPLUNK INC.

Working With Windows Events Over Syslog


• Extracting Windows Events fields and value from syslog can be very challenging because of the
need to identify key value pairs.
• Key and Values may have spaces and different formats making it harder to tell Splunk how to
identify a key and it’s value

2019-11-07 18:12:16 Daemon.Notice 127.0.0.1 Nov 7 18:12:15 DESKTOP-P193F0B Security-Auditing: 4672: AUDIT_SUCCESS Special privileges assigned
to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges:
SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege
SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege

• The solution is using field extractions with RegEx


• But we don’t want to write RegEx for every Event Code in Windows and for every field…
field_extract_samples.txt
© 2020 SPLUNK INC.

The Structure of a Windows Event


An account was successfully logged on.
• Windows Events are made of sections Subject:
Security ID: SYSTEM

• These section are often repeated in various events codes Account Name: DESKTOP-LLHJ389$
Account Domain: WORKGROUP
Logon ID: 0x3E7

• More resources on Windows Events logs WinEvents/README.MD Logon Information:


Logon Type: 7
Restricted Admin Mode: -
Virtual Account: No
Subject: Subject: 4611, 4624, 4625, Elevated Token: No
Security ID: %1 4634,4647, 4656, 4672, Impersonation Level: Impersonation
Account Name: %2 4673, 4674, 4688, 4689,
New Logon:
Account Domain: %3 4696, 4715, 4717, 4718, Security ID: AzureAD\RandyFranklinSmith
Account Name: [email protected]
Logon ID: %4 4719, ,4720, 4722, 4723, Account Domain: AzureAD
4724, 4725, 4726, 4738, Logon ID: 0xFD5113F
Linked Logon ID: 0xFD5112A
4739, 4740, 4741, 4742, Network Account Name: -
Network Account Domain: -
4743, 4767, 4912 Logon GUID: {00000000-0000-0000-0000-000000000000}
Subject: 4648
Process Information:
Security ID: %1 Process ID: 0x30c
Process Name: C:\Windows\System32\lsass.exe
Account Name: %2
Account Domain: %3 Network Information:
Workstation Name: DESKTOP-LLHJ389
Logon ID: %4 Source Network Address: -
Source Port: -
Logon GUID: %5
Subject: 4778, 4779, Detailed Authentication Information:
Logon Process: Negotiat
Account Name: %1 Authentication Package: Negotiate
Transited Services: -
Account Domain: %2 Package Name (NTLM only): -
Logon ID: %3 Key Length: 0

WinEvents/wineventssections.docx
© 2020 SPLUNK INC.

Industry Perspective
© 2020 SPLUNK INC.

Chris Duffey
Energy Solutions Strategists | Splunk
© 2020 SPLUNK INC.

Industry Perspective
What is happening?

Energy Manufacturing
Concerns: Regulation, Concerns: IT and OT
Active Nation State Attacks, disconnect, attacks are
Safety, Environmental increasing

Problems: Responsibility, Problems: OT experience


lack of talent, no centralized with IT teams, questions
visibility, cloud and regulation about priority, cloud offerings

Trends: Moving past Trends: IT SOC Monitors


regulation, IT/OT Converged OT environment, increasing
SOC investment
© 2020 SPLUNK INC.

It’s Almost Always Corporate Tech….


OT attacks are generally initiated at the OS, DB, networking, email or similar
Dec 2016 Aug 2017 Aug 2018 Jul 2019 Oct 2019 Feb 2020
Industroyer TRISIS attack Maersk’s systems Chinese hackers India announced Natural Gas
malware disabled shuts down an oil infected by conducted a that North Korean compressor
a substation in refinery in Saudi malware on IT spear-phishing malware had facility shut down
the Ukraine. Arabia. RDP systems, resulting campaign against been identified in after infected with
Phishing attack. traffic through in 300M in losses. employees of 20 the networks of a ransomware.
Gained access to DMZ firewall to In many cases U.S. utility nuclear power Phishing attack.
Engr Workstation. Engr Workstation. operations had to companies. plant. Deployed Spread to HMI,
be switched to as Remote Admin historians, and
manual Tool (RAT) polling servers.
operations.
© 2020 SPLUNK INC.

Coverage Options: Basic, Better, Best


OT Security focus needs to start with monitoring corporate tech

Level 1 Level 2 Level 3

Splunk Corporate + OT Network Splunk Corporate + OT Network Splunk Corporate + OT Network


Perimeter Perimeter + Levels 2/3 Perimeter + Levels 2/3 + OT
• Splunk for perimeter firewall monitoring • Splunk for perimeter firewall monitoring Solution(s)
of all OT locations of all OT locations • Splunk for perimeter firewall monitoring
• Splunk deployed in Levels 2 & 3 of of all OT locations
every OT environment • Splunk deployed in Levels 2 & 3 of
every OT environment
• Asset discovery + inventory
• OT threat detection
• Combined IT/OT SOC with centers
of excellence
© 2020 SPLUNK INC.

Perimeter

Questions to ask
• What changes are being made to my devices?
• Who is accessing my environment externally?
Perimeter • What applications are communicating across my environment?

Firewalls/VPN’s: How can Splunk answer these questions?


Cisco, Palo Alto, Juniper,
Proprietary • Identify system device changes
• Monitor VPN and access ”jump box”
Network Equipment: • Identify what is communicating across the firewall versus what is
known or documented
Cisco, Juniper,
Proprietary
© 2020 SPLUNK INC.

Systems/Applications

Questions to ask
• What are my users and vendors doing in my system?
• What applications and services are installed on my machines?

Systems/ • Am I using endpoint protection and is it up to date?

Applications
Operating Systems:
How can Splunk answer these questions?
Windows XP, 7, 10, Server
• Track users/vendors, permissions, and access to systems
2003, 2008, 2012, 2016, Linux • Understand what is installed on my machines against a baseline
(legacy) and modern • Identify gaps in protection and what machines are getting updated

Applications:
SCADA, Antivirus, SQL databases,
Reporting Services
© 2020 SPLUNK INC.

OT Security
Add-on for
Splunk OT Asset
Inventory Ingestion
Vulnerability Monitoring:
Mitre ICS ATT&CK

Focus areas:
• Capture, monitor and report on data
from OT Assets
• Monitor traffic between OT and IT
• Identify vulnerabilities on OT assets
• Monitor, audit and investigate
regulatory compliance issues
Asset Framework and Compliance add-on for
Asset Center Extensions NERC CIP
© 2020 SPLUNK INC.

Thank you

Please provide feedback via the

SESSION SURVEY

You might also like