Splunk Enterprise Security

Can someone help me understand this event from Splunk ES ?

hrithiktej
Communicator

I have these events on Splunk ES security posture dashboard and need help in understand how the detection for this one particular investigation works

below is the example of this event we are investigating

04/22/2019 06:35:00 -0400, search_name="Threat - File Name Matches - Threat Gen", search_now=1555929300.000, info_min_time=1555840800.000, info_max_time=1555929300.000, info_search_time=1555929301.836, dest="::", file_name="Setup.exe", orig_sourcetype="cisco:sourcefire", src="10.143.24.83|10.143.6.14", threat_collection=file_intel, threat_collection_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240:mandiant:observable-dedc26f8-efce-45e0-80c5-b1ed8a00cd89", threat_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240|Appendix_G_IOCs_No_OpenIOC.xml", threat_match_field=file_name, threat_match_value="Setup.exe"

Threat detection reference https://jar-download.com/artifacts/org.mitre/stix/1.2.0.2/source-code/schemas/v1.2.0/samples/APT1/Ap...

Using the file name i could trace down to one of the users who was trying to download snoopwpf which is "a app that allows you to spy/browse the visual tree of a running application (without the need for a debugger) ... and change properties ... amongst other things."

how does this investigation of Splunk ES work is it solely based on file name or more?

0 Karma

hrithiktej
Communicator

Thanks for the reply folks i will try this out, i will create a notepad file with some content rename it as setup.exe and try to pass it through source fire and see if the detection occurs, if it does and the detection is just because of the name than in my opinion it is not a so cool investigation correlation search in splunk.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Chris is right; essentially that search is looking at threat lists that you subscribe to (in this case one from Mandiant) and looking for cases where identified threat indicators exist in your data, thus potentially indicating that there is a threat in your environment. Next step would be to investigate whether or not it is a false positive—is there really a threat to your network / is there actually malicious behavior occurring. And as Chris points out, you can test whether or not the search is functioning by creating the data.

In this case it sounds like you did a bit of investigation and identified a user downloading something that could be malicious, but could also be useful for them to do their job. Then it's up to you/the security team at your organization to decide if that's "bad".

0 Karma

Splunker
Communicator

The supplied Mandiant IOCs do false-positive a lot.

Looks like you got a match on the file-name (threat_match_field=file_name, with a file-name of setup.exe per threat_match_value="Setup.exe"), would be my guess.

You can test it by passing different Setup.exe's (maybe text-files? :)) via the Sourcefire's with different hashes to test the theory 🙂

Chris.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...