Threat activity - Errors in correlation search related to RBA?

XavG — Thu, 16 Jun 2022 06:59:45 GMT

Hi,

I'm wondering if there isn't an issue with the correlation search that comes with Splunk ES "Threat activity detected".

Indeed, my problem come from the fact that when it's triggered then I have at least 2 other alerts concerning the "24h thresold risk score" (RBA).

I have taken the original correlation search (at least I think it is)

| from datamodel:"Threat_Intelligence"."Threat_Activity" 
| dedup threat_match_field,threat_match_value 
| `get_event_id` 
| table _raw,event_id,source,src,dest,src_user,user,threat*,weight 
| rename weight as record_weight 
| `per_panel_filter("ppf_threat_activity","threat_match_field,threat_match_value")` 
| `get_threat_attribution(threat_key)` 
| rename source_* as threat_source_*,description as threat_description 
| fields - *time 
| eval 
risk_score=case(isnum(record_weight), record_weight, isnum(weight) AND weight=1, 60, isnum(weight), weight, 1=1, null()),
risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),
risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value),
risk_network=if(threat_match_field IN("http_user_agent", "url") OR threat_match_field LIKE "certificate_%",null(),threat_match_value),
risk_host=if(threat_match_field IN("file_name", "process", "service") OR threat_match_field LIKE "registry_%",null(),threat_match_value),
risk_other=if(threat_match_field IN("query", "answer", "src", "dest", "src_user", "user", "file_hash", "http_user_agent", "url", "file_name", "process", "service") OR threat_match_field LIKE "certificate_%" OR threat_match_field LIKE "registry_%",null(),threat_match_value)

And notice that the mechanism to select which type of risk category is concerned is changing after the first line.

1. Risk_system

risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),

If I translate : If the threat_match_field is "query or "answer" then the risk category is system and risk_system="IOC that matched"

In this case this is a domain or URL (because it's a DNS query or answer)

--> THIS LINE IS GOOD

2. Risk_hash

risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value),

But in the case of hash, if I translate : If the threat_match_field is "file_hash" then the risk category is NOT hash and risk_hash="null"

--> THIS LINE IS WRONG

Then it is the same for all other category : network, host, other

So in my opinion the values in the if statement were reversed.

risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value),

shoud be

risk_hash=if(threat_match_field IN("file_hash"),threat_match_value, null()),

Is it me ? My instance ? or what ?

Thanks in advance

Xavier

Re: Threat activity - Errors in correlation search related to RBA?

XavG — Thu, 23 Jun 2022 06:40:46 GMT

Nobody ? 😕

Re: Threat activity - Errors in correlation search related to RBA?

frank_s — Thu, 14 Jul 2022 17:53:52 GMT

Yes, looks to be incorrect. You can re-write that portion as follows:

risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),
risk_hash=if(threat_match_field IN("file_hash"),threat_match_value,null()),
risk_network=if(threat_match_field IN("http_user_agent", "url") OR threat_match_field LIKE "certificate_%",threat_match_value,null()),
risk_host=if(threat_match_field IN("file_name", "process", "service") OR threat_match_field LIKE "registry_%",threat_match_value,null()),
risk_other=if(threat_match_field IN("query", "answer", "src", "dest", "src_user", "user", "file_hash", "http_user_agent", "url", "file_name", "process", "service") OR threat_match_field LIKE "certificate_%" OR threat_match_field LIKE "registry_%",null(),threat_match_value)

Re: Threat activity - Errors in correlation search related to RBA?

jacobappleton — Fri, 05 Aug 2022 18:44:09 GMT

We've noticed the same thing. Would be nice to get some feedback from Splunk on whether this is a known issue.

topic Re: Threat activity - Errors in correlation search related to RBA? in Splunk Enterprise Security

Threat activity - Errors in correlation search related to RBA?

Re: Threat activity - Errors in correlation search related to RBA?

Re: Threat activity - Errors in correlation search related to RBA?

Re: Threat activity - Errors in correlation search related to RBA?