Splunk Enterprise Security

Can someone help me understand this event from Splunk ES ?

hrithiktej
Communicator

I have these events on Splunk ES security posture dashboard and need help in understand how the detection for this one particular investigation works

below is the example of this event we are investigating

04/22/2019 06:35:00 -0400, search_name="Threat - File Name Matches - Threat Gen", search_now=1555929300.000, info_min_time=1555840800.000, info_max_time=1555929300.000, info_search_time=1555929301.836, dest="::", file_name="Setup.exe", orig_sourcetype="cisco:sourcefire", src="10.143.24.83|10.143.6.14", threat_collection=file_intel, threat_collection_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240:mandiant:observable-dedc26f8-efce-45e0-80c5-b1ed8a00cd89", threat_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240|Appendix_G_IOCs_No_OpenIOC.xml", threat_match_field=file_name, threat_match_value="Setup.exe"

Threat detection reference https://jar-download.com/artifacts/org.mitre/stix/1.2.0.2/source-code/schemas/v1.2.0/samples/APT1/Ap...

Using the file name i could trace down to one of the users who was trying to download snoopwpf which is "a app that allows you to spy/browse the visual tree of a running application (without the need for a debugger) ... and change properties ... amongst other things."

how does this investigation of Splunk ES work is it solely based on file name or more?

0 Karma

hrithiktej
Communicator

Thanks for the reply folks i will try this out, i will create a notepad file with some content rename it as setup.exe and try to pass it through source fire and see if the detection occurs, if it does and the detection is just because of the name than in my opinion it is not a so cool investigation correlation search in splunk.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Chris is right; essentially that search is looking at threat lists that you subscribe to (in this case one from Mandiant) and looking for cases where identified threat indicators exist in your data, thus potentially indicating that there is a threat in your environment. Next step would be to investigate whether or not it is a false positive—is there really a threat to your network / is there actually malicious behavior occurring. And as Chris points out, you can test whether or not the search is functioning by creating the data.

In this case it sounds like you did a bit of investigation and identified a user downloading something that could be malicious, but could also be useful for them to do their job. Then it's up to you/the security team at your organization to decide if that's "bad".

0 Karma

Splunker
Communicator

The supplied Mandiant IOCs do false-positive a lot.

Looks like you got a match on the file-name (threat_match_field=file_name, with a file-name of setup.exe per threat_match_value="Setup.exe"), would be my guess.

You can test it by passing different Setup.exe's (maybe text-files? :)) via the Sourcefire's with different hashes to test the theory 🙂

Chris.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...