- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Can someone help me understand this event from...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can someone help me understand this event from Splunk ES ?
I have these events on Splunk ES security posture dashboard and need help in understand how the detection for this one particular investigation works
below is the example of this event we are investigating
04/22/2019 06:35:00 -0400, search_name="Threat - File Name Matches - Threat Gen", search_now=1555929300.000, info_min_time=1555840800.000, info_max_time=1555929300.000, info_search_time=1555929301.836, dest="::", file_name="Setup.exe", orig_sourcetype="cisco:sourcefire", src="10.143.24.83|10.143.6.14", threat_collection=file_intel, threat_collection_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240:mandiant:observable-dedc26f8-efce-45e0-80c5-b1ed8a00cd89", threat_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240|Appendix_G_IOCs_No_OpenIOC.xml", threat_match_field=file_name, threat_match_value="Setup.exe"
Threat detection reference https://jar-download.com/artifacts/org.mitre/stix/1.2.0.2/source-code/schemas/v1.2.0/samples/APT1/Ap...
Using the file name i could trace down to one of the users who was trying to download snoopwpf which is "a app that allows you to spy/browse the visual tree of a running application (without the need for a debugger) ... and change properties ... amongst other things."
how does this investigation of Splunk ES work is it solely based on file name or more?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply folks i will try this out, i will create a notepad file with some content rename it as setup.exe and try to pass it through source fire and see if the detection occurs, if it does and the detection is just because of the name than in my opinion it is not a so cool investigation correlation search in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chris is right; essentially that search is looking at threat lists that you subscribe to (in this case one from Mandiant) and looking for cases where identified threat indicators exist in your data, thus potentially indicating that there is a threat in your environment. Next step would be to investigate whether or not it is a false positive—is there really a threat to your network / is there actually malicious behavior occurring. And as Chris points out, you can test whether or not the search is functioning by creating the data.
In this case it sounds like you did a bit of investigation and identified a user downloading something that could be malicious, but could also be useful for them to do their job. Then it's up to you/the security team at your organization to decide if that's "bad".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The supplied Mandiant IOCs do false-positive a lot.
Looks like you got a match on the file-name (threat_match_field=file_name, with a file-name of setup.exe per threat_match_value="Setup.exe"), would be my guess.
You can test it by passing different Setup.exe's (maybe text-files? :)) via the Sourcefire's with different hashes to test the theory 🙂
Chris.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
