Threat activity - Errors in correlation search rel...

XavG · ‎06-15-2022

Hi,

I'm wondering if there isn't an issue with the correlation search that comes with Splunk ES "Threat activity detected".

Indeed, my problem come from the fact that when it's triggered then I have at least 2 other alerts concerning the "24h thresold risk score" (RBA).

I have taken the original correlation search (at least I think it is)

| from datamodel:"Threat_Intelligence"."Threat_Activity" 
| dedup threat_match_field,threat_match_value 
| `get_event_id` 
| table _raw,event_id,source,src,dest,src_user,user,threat*,weight 
| rename weight as record_weight 
| `per_panel_filter("ppf_threat_activity","threat_match_field,threat_match_value")` 
| `get_threat_attribution(threat_key)` 
| rename source_* as threat_source_*,description as threat_description 
| fields - *time 
| eval 
risk_score=case(isnum(record_weight), record_weight, isnum(weight) AND weight=1, 60, isnum(weight), weight, 1=1, null()),
risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),
risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value),
risk_network=if(threat_match_field IN("http_user_agent", "url") OR threat_match_field LIKE "certificate_%",null(),threat_match_value),
risk_host=if(threat_match_field IN("file_name", "process", "service") OR threat_match_field LIKE "registry_%",null(),threat_match_value),
risk_other=if(threat_match_field IN("query", "answer", "src", "dest", "src_user", "user", "file_hash", "http_user_agent", "url", "file_name", "process", "service") OR threat_match_field LIKE "certificate_%" OR threat_match_field LIKE "registry_%",null(),threat_match_value)

And notice that the mechanism to select which type of risk category is concerned is changing after the first line.

1. Risk_system

risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),

If I translate : If the threat_match_field is "query or "answer" then the risk category is system and risk_system="IOC that matched"

In this case this is a domain or URL (because it's a DNS query or answer)

--> THIS LINE IS GOOD

2. Risk_hash

risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value),

But in the case of hash, if I translate : If the threat_match_field is "file_hash" then the risk category is NOT hash and risk_hash="null"

--> THIS LINE IS WRONG

Then it is the same for all other category : network, host, other

So in my opinion the values in the if statement were reversed.

risk_hash=if(threat_match_field IN("file_hash"),null(),threat_match_value),

shoud be

risk_hash=if(threat_match_field IN("file_hash"),threat_match_value, null()),

Is it me ? My instance ? or what ?

Thanks in advance

Xavier

jacobappleton · ‎08-05-2022

We've noticed the same thing. Would be nice to get some feedback from Splunk on whether this is a known issue.

frank_s · ‎07-14-2022

Yes, looks to be incorrect. You can re-write that portion as follows:

risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),
risk_hash=if(threat_match_field IN("file_hash"),threat_match_value,null()),
risk_network=if(threat_match_field IN("http_user_agent", "url") OR threat_match_field LIKE "certificate_%",threat_match_value,null()),
risk_host=if(threat_match_field IN("file_name", "process", "service") OR threat_match_field LIKE "registry_%",threat_match_value,null()),
risk_other=if(threat_match_field IN("query", "answer", "src", "dest", "src_user", "user", "file_hash", "http_user_agent", "url", "file_name", "process", "service") OR threat_match_field LIKE "certificate_%" OR threat_match_field LIKE "registry_%",null(),threat_match_value)

XavG · ‎06-22-2022

Nobody ? 😕

Threat activity - Errors in correlation search related to RBA?

correlation search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!