I no longer have to navigate to multiple tabs or try to figure out how to decode base64. Partial output from Splunk Enterprise SecurityĪs we can see, all the relevant information is presented to me when I look at the event. The following is the output in Splunk ES. I will then format the results using a format block, add a note and then use an action block to update the notable event in Splunk Enterprise Security. Once we know the IPv4 address, we will submit it to VirusTotal for analysis.Īlthough I only use VirusTotal, it would be as easy to configure multiple reputation sources or call a different playbook containing many additional reputation lookups. Next, using regex, another pre-built function, we will automatically extract any IPv4 addresses for us. These functions come pre-installed when you install Splunk SOAR. The first thing we will do is decode the base64 encoded command using a pre-built function. First, we will design a playbook that mimics the steps we took. This next section will use the community edition of Splunk SOAR and out-of-the-box content to build this automation flow. Using the same example and rules from earlier, we will look at how to automate this process to speed up the initial investigation and accelerate our response while maintaining consistency. Next, we will look at how we can use the power of SOAR to perform these same tasks but automate them! Day-in-the-life: with Automation And each analyst’s workflow may have looked different to reach this conclusion. This example was simple, yet it would have still been time-consuming for the analyst, depending on the skill level. If we continued to look closer at this IP, we would find that it has recently been involved with Ransomware and other nefarious activities.įrom here, we would have more than enough information to know that we need to begin our remediation and mitigation efforts. Obviously, I picked a good example of malicious activity, which would probably ruin the rest of this analyst’s day with incident response. In this example, I’ll use VirusTotal, but it would be pretty standard to check multiple sources. Next, we should check the reputation of this IOC. The output shows that the Powershell command opens up a reverse shell to the IP 116.125.12088 over port 8080. Not all analysts have the same skillset, and decoding a base64 command may have taken a junior analyst some time to figure out. In this case, I will be using the web-based tool called Cyberchef. To that end, I will navigate to a base64 decoding tool to closely examine what this Powershell command is doing. The logical next step for me is understanding what this command is doing. Malicious PowerShell Process - Encoded CommandĮxamining the process command line from the output of this alert, we can see a base64 encoded command. As the description for this rule states, “ is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code.” Find more information about this search at. Using an out-of-the-box search designed for Splunk Enterprise Security, we can detect Powershell commands that have been encoded. Since automation is so powerful, I wanted to show a simple workflow that is a big timesaver that has helped many organizations I work with today. This was especially useful on weekends when I could not complete the tasks until Monday. These automation playbooks would interact with our firewall or EDR solution to perform containment actions in a few seconds. I used the community edition to perform simple enrichment tasks and later moved on to using full SOAR capabilities to conditional remediate events based on severity. Phantom opened up a new world of automation I had no time to create. I then came across Splunk SOAR, known as Phantom at the time. After a while, I graduated with more complex automation scripts, but they still weren’t as effective as they could be. Not impressive automation, but it saved me a few clicks. It would launch multiple browsers plugging in the IOC into multiple reputation sources, so I didn’t have to perform the task manually. For example, I created a script where I could input an IOC. I eventually created simple scripts to aid in my incident response so I was not spending time just getting the information I needed. Splunk SOAR helps you as a security analyst to focus on what’s essential, security-taking away meaningless time on tasks that could easily be automated.Īs a former security analyst, one thing I found annoying was spending time on activities that I knew I could automate.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |