SECURITY

Work(flow)ing Your OSINT

      

This is part three of the "Hunting with Splunk: The Basics" series.

Picture yourself, a hunter using Splunk, and the words "workflow action" are uttered by your helpful security Splunker...

You: <sarcasm>Uh huh… Workflow actions. Right.</sarcasm>
Me: No really. You should know about these and use them… no one does!
You: I’m not a Splunk Admin… I’m a hunter. I find my fleeing adversary on the Great Plains of Logs. I don’t need your admin stuff.
Me: No one is doing this. You need to start hunting using workflow actions for some awesome pivoting.
You: (after reading this blog ) Whoa! mind_blown.gif!!!

Workflow actions make you a faster and more effective analyst. They allow you to skip the laborious steps of logging into various websites to do your job and just get straight to business. Stick with me and I will provide some examples of how to use workflow actions and—as a bonus—give you some great hunting resources that you should be using, if you aren’t already.

But first, what are workflow actions? Workflow actions are knowledge objects in Splunk that provide you the ability to take fields within Splunk and do things with them, both within Splunk and externally with web sites, scripts or applications. For me, that usually means taking a field of interest in Splunk and searching for open source intelligence on that field/indicator.  This could be everything from a MD5 hash to an IP address. My thought is, I'm going to take this step anyway so I may as well make my life easier, right? (Of course, the wise readers of this blog will immediately say, “Sure, but why not just have all of this automated?” Keep watching this space for that post).

With this backdrop, how do we create workflow actions? I’m glad you asked. Select SettingsFieldsWorkflow actions and click New.

This is where we make magic happen. Let’s use www.robtex.com as an example. Robtex is one of the best websites for open source intelligence of IP addresses and websites. I use it daily. If it's used EVERY day, I should probably automate it, shouldn’t I?

There are a couple of important values that need to be completed. The hints below each box are pretty self-explanatory, but make sure you place dollar signs ($) around the value that you are passing into a URI so it gets treated as a token.


Now that we have a workflow action, I can quickly pivot and look for results from robtex.com!


Notice how I have my results, click on the action next to dest_ip and see Robtex as an option to pivot to.

But wait, there’s more!

Let’s go over a whole passel of different sites that are worth performing open source intelligence pivots to. The screenshot below shows you how the workflow_actions.conf file looks after you create it via the GUI. In the example below, I added several new fields that are available for lookup and a special variable $@field_value$ which allows me to pass any of the available fields to Robtex. Which just goes to show… CLI>GUI :-)


With that in mind, take a look at the link.method field. For many websites, that is going to be a GET since I am pulling information from the site. However, when submitting an IOC to a website, you are sending information and will need to make that a POST instead. Sometimes, sites will require a POST to get data. Crazy, huh?

Here is an example for the website iplocation.net. For those not familiar with iplocation.net, it provides the geolocation information of a domain or IP address. To get geolocation data from the site, you will need to POST to the site. Notice that the link.method = post is defined and link.postargs.1.key and link.postargs.1.value are set for sending those values to the iplocation.net website.


Thanks for visiting and happy hunting!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bonus Material

In the table below, I wanted to provide a sample of sites that I often visit for analysis. At the bottom of this blog is a sample workflow_actions.conf that has workflow actions for most of the resources below—use what you feel is helpful to you. I’ve even added some sites that I haven’t figured out how to make into a workflow action, but would still be worth looking at.

Type

Site

IOCs

Description

IP/Domain/
Shared Domains on IP Address

www.Robtex.com

IPs, Domains

One of the best of breed tools to investigate Domains, IP addresses, and more. 

IP/Domain Information

centralops.net

IPs, Domains

Investigate Domains and IP addresses

Geolocate IPs/Domains

iplocation.net

 

IPs, Domains

Quick way to find the most up-to-date location of a IP from several different vendors

Geolocate IPs/Domains

Infosniper.net

IPs, Domains

Shows location and provides a nice map

PassiveDNS, SSL Certificates, Shared Domains on IP address

www.passivetotal.org

IPs, Domains

Research Domains, IPs, passive DNS sources, SSL certs, and more.  Sign up for a free license.

SSL Certificates

www.censys.io

SSL Certificate Hashes

Scans the internet on a daily basis and allows researchers to search their library for information on SSL certs and more

Historical Whois information

whoisology.com

Domains, Emails, Keywords

Search historical whois information

Passive DNS

passivedns.mnemonic.no

IPs, Domains,

Look up domains and IPs and recent resolutions without performing an actual DNS query

Malware

malwr.com

File Hashes

Free malware analysis service that allows you to submit files to an open source malware sandbox and search results with an account

Malware

www.hybrid-analysis.com

File Hashes

Free malware analysis service that allows you to submit files to an open source malware sandbox and search results

Malware (and more)

www.virustotal.com

File Hashes, IP addresses, Domains

Best of breed free malware analysis service that allows you to submit files to an open source malware sandbox and search results. Users can submit URLs and files TO virustotal but this may result in tipping off adversaries to your action… Usually I recommend just passive research on VT.

Domain

www.threatcrowd.org

File Hashes, IP address, Domains

Search engine for threat data and open source intelligence reports and other cyber security sources

URLs

urlquery.net

URLs

Submit an URL and it will visit the site, take a snapshot, and analysis it to see if it is malicious. Beware of using this to analyze a link unless you are ok with tipping your hand to the adversary

Search engine

www.google.com

Any field

Google.  No discussion needed. However, I’d recommend disabling pre-fetch https://www.technipages.com/google-chrome-prefetch

Code

www.github.com

Any field

Github is one of the largest code repositories on the internet. Often you can find interesting strings in the logs that may be in adversaries (or tool creators) github repo.

Domains, whois

www.domaintools.com

IPs, Domains,

Best of breed for researching DNS history.  For a fee, you can setup DNS branding detection and registration history of domains

BGP/ASN

www.bgp.he.net

 

IPs

Often adversaries utilize the same ASN but different IP addresses. It can be worthwhile to find “malicious” ASNs and alert on them

PassiveDNS and more

www.Viewdns.info

IPs, Domains, Names

Provides several different DNS research tools.  Can find out registrant histories of domains.

Malware

totalhash.cymru.com

IPs, Domains, File Hashes

One of the largest collections of malware on the internet.  Great searching capabilities

APT reports

www.threatminer.org

Any IOC or key word

Threatminer combines different threat feeds and a searchable repository of APT reports.

IP

www.ipinfo.io

IPs

Lightweight site that can quickly find out basic info regarding an IP address


Here is the screenshot of my workflow_action.conf sample that includes many of the sources listed above. If you would like to play with it, you can download it from https://github.com/rkovar/splunk-hunting-helpers.

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Join the Discussion