Thanks to all that showed up for this presentation.
And thanks very much for all of the post-presentation positive feedback!
As promised here’s a copy of the slides. Share as you like!
Month: March 2022
SIEM Use Case Guide – Part 2
And I’m talking real smoking guns, not crappy anomaly alerts.
From my experience, the most effective use cases for threat detection are those which simply:
- Provide a list of detections which have a high confidence of threat
- Look for validations which follow the detection.
So:
Here’s an example for logic that would provide good use cases involving malicious intent:
- First create a list of detections that provide very high confidence of a threat.
- This is easier than you think if you’ve been using a SIEM for some time.
- Just look back at both rules that have fired and those which have not.
- The ‘have not fired’ rules like ‘Hafnium detected’ are likely very fined rules so when they do alert it’s likely for good reason.
- The rules that have fired, are consistently a true positive, and identify as a threat, is likely a very short list.
- Follow that with evidence from 1 or more additional alerts to ‘validate’ the first alert.
The ‘direction’ of the action might also be important, eg:
Inbound > outbound detection with validation of sustained activity.
Here’s a couple of specific examples:
- Detection: EDR callback
- Relevant entities: src_ip and dest_ip
- Validation1: EDR detection fires a 2nd distinct threat alert at src_ip
- Validation2:Firewall traffic continues for 15 min to dest_ip
- Email Malware ‘onclick=true’ (user clicked on a malicious link)
- Then followed by logic from rule #1 above.
Additional thoughts:
Validations do not have to be part of the SIEM threat detection. They can be added from SOAR playbook(s) and apply ‘tags’ to the alert, which can in turn be used by other correlations or SOAR playbooks. Eg. tag: EDR_distinct_threats=2, callback_distinct_count=2
This means the correlations become VERY simple and the validation or ‘recorrelations’ steps are done by the SOAR action.
By using SOAR you can provide full automation of an action by isolating a machine, disabling a user etc.
There should be pressure put on vendors to provide a ‘metric of confidence’ on specific detections. i.e. does ‘High’ really mean High? This makes it easier to create use cases with clear malicious intent since you wouldn’t have to manually compile a list of high confidence detections.
Some thoughts on high confidence alerts:
- Most Sentinel analytic rules with a value of High are high confidence.
- Deception related alerts – this is a new term for many, but it’s catching on.
- Callbacks – Fireeye first made these famous and they’re still a good example of a reliable alert.
Setting up a Splunk Lab in 8 Steps
(Including installing a windows agent so you have data to play with)
- Install linux
- any flavor, Ubuntu might be the easiest.
- maybe I need another quick start guide for installing linux…
- download and install splunk on your linux platform
- It’s free for up to 500MB of data per day
- Start splunk (/opt/splunk/bin/splunk start)
- Login to the splunk web UI: http://<your server IP>:8000
- On Ubuntu, you don’t have to allow access to port 8000, so no need to open access
- Open port 9997 in the splunk UI
- Settings > forwarding and receiving > configure receiving > new receiving port (set to 9997)
- Open port 9997 on linux
- Ubuntu command: sudo ufw allow from any to any port 9997 proto tcp
- On a windows pc, install the Splunk universal forwarder
- Back in the UI, add a data input:
- Settings > data inputs > windows event logs > new windows remote event log > [you should see your windows pc so add it] > add ‘security’ > add it to an index
Done!
Simple-Security 