Splunk Enterprise Security

Can someone help me understand this event from Splunk ES ?

hrithiktej
Communicator

I have these events on Splunk ES security posture dashboard and need help in understand how the detection for this one particular investigation works

below is the example of this event we are investigating

04/22/2019 06:35:00 -0400, search_name="Threat - File Name Matches - Threat Gen", search_now=1555929300.000, info_min_time=1555840800.000, info_max_time=1555929300.000, info_search_time=1555929301.836, dest="::", file_name="Setup.exe", orig_sourcetype="cisco:sourcefire", src="10.143.24.83|10.143.6.14", threat_collection=file_intel, threat_collection_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240:mandiant:observable-dedc26f8-efce-45e0-80c5-b1ed8a00cd89", threat_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240|Appendix_G_IOCs_No_OpenIOC.xml", threat_match_field=file_name, threat_match_value="Setup.exe"

Threat detection reference https://jar-download.com/artifacts/org.mitre/stix/1.2.0.2/source-code/schemas/v1.2.0/samples/APT1/Ap...

Using the file name i could trace down to one of the users who was trying to download snoopwpf which is "a app that allows you to spy/browse the visual tree of a running application (without the need for a debugger) ... and change properties ... amongst other things."

how does this investigation of Splunk ES work is it solely based on file name or more?

0 Karma

hrithiktej
Communicator

Thanks for the reply folks i will try this out, i will create a notepad file with some content rename it as setup.exe and try to pass it through source fire and see if the detection occurs, if it does and the detection is just because of the name than in my opinion it is not a so cool investigation correlation search in splunk.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Chris is right; essentially that search is looking at threat lists that you subscribe to (in this case one from Mandiant) and looking for cases where identified threat indicators exist in your data, thus potentially indicating that there is a threat in your environment. Next step would be to investigate whether or not it is a false positive—is there really a threat to your network / is there actually malicious behavior occurring. And as Chris points out, you can test whether or not the search is functioning by creating the data.

In this case it sounds like you did a bit of investigation and identified a user downloading something that could be malicious, but could also be useful for them to do their job. Then it's up to you/the security team at your organization to decide if that's "bad".

0 Karma

Splunker
Communicator

The supplied Mandiant IOCs do false-positive a lot.

Looks like you got a match on the file-name (threat_match_field=file_name, with a file-name of setup.exe per threat_match_value="Setup.exe"), would be my guess.

You can test it by passing different Setup.exe's (maybe text-files? :)) via the Sourcefire's with different hashes to test the theory 🙂

Chris.

Get Updates on the Splunk Community!

Testing out the OpenTelemetry Collector With raw Data

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...