By Ryan Kovar April 03, 2023
Picture yourself, a threat hunter using Splunk, and the words "workflow action" are uttered by your helpful security Splunker...
You: <sarcasm>Uh huh… Workflow actions. Right.</sarcasm>
Me: No really. You should know about these and use them… no one does!
You: I’m not a Splunk Admin… I’m a hunter. I find my fleeing adversary on the Great Plains of Logs. I don’t need your admin stuff.
Me: No one is doing this. You need to start hunting using workflow actions for some awesome pivoting.
You: (after reading this blog ) Whoa! mind_blown.gif!!!
Workflow actions make you a faster and more effective security analyst. They allow you to skip the laborious steps of logging into various websites to do your job and just get straight to business.
Stick with me and I will provide some examples of how to use workflow actions and — as a bonus — give you some great hunting resources that you should be using, if you aren’t already. Let’s start with open-source intelligence.
What is OSINT?
If you look up the word OSINT, you will see multiple definitions — all of them agree that OSINT, or open-source intelligence, is a collection of publicly gathered data from multiple sources with the intention to create actionable intelligence.
Using OSINT for threat hunting
You might be asking, how does this help with threat hunting?
Well, the great thing about using open-source intelligence is that you have groups working together to create a methodology for processes, tools and integration of data and techniques that allow security professionals to…
- Answer intelligence questions.
- Map out a known threat.
- Take action.
It’s not just security professionals who use OSINT, however. Threat actors also use it to identify vulnerabilities and potential victims.
There are multiple reasons to use OSINT while threat hunting. There are many sources of information to pull from, and we’re often told it’s best to get as much information on something as possible. (There is a caveat to mention; just because you have information, that does not always mean it is intelligent information. You should always remember to find a few different sources that say something similar.)
(Know the difference between threat hunting & threat detecting.)
OSINT hunting example
Let me give you an example of how OSINT can help your hunting. Let's say you see something in a log file that looks strange. So, you start creeping around different social media sites. You see multiple people in the InfoSec community talking about a possible vulnerability being actively exploited in the wild. Bam, that’s the strange line you saw.
Now you are hopefully able to take quick action and deal with the threat. This is a very simple example of using OSINT to help you hunt.
Good spots for OSINT analysis
In the table below, I provide a sample of sites that I often visit for analysis. At the bottom of this blog is a sample workflow_actions.conf that has workflow actions for most of the resources below — use what you feel is helpful to you.
I’ve even added some sites that I haven’t figured out how to make into a workflow action, but would still be worth looking at.
Type |
Site |
IOCs |
Description |
IP/Domain/ |
IPs, Domains |
One of the best of breed tools to investigate Domains, IP addresses and more. |
|
IP/Domain Information |
IPs, Domains |
Investigate Domains and IP addresses. |
|
Geolocate IPs/Domains |
|
IPs, Domains |
Quick way to find the most up-to-date location of a IP from several different vendors. |
Geolocate IPs/Domains |
IPs, Domains |
Shows location and provides a nice map. |
|
PassiveDNS, SSL Certificates, Shared Domains on IP address |
IPs, Domains |
Research Domains, IPs, passive DNS sources, SSL certs, and more. Sign up for a free license. |
|
SSL Certificates |
SSL Certificate Hashes |
Scans the internet on a daily basis and allows researchers to search their library for information on SSL certs and more. |
|
Historical Whois information |
Domains, Emails, Keywords |
Search historical whois information. |
|
Passive DNS |
IPs, Domains, |
Look up domains and IPs and recent resolutions without performing an actual DNS query. |
|
Malware |
File Hashes |
Free malware analysis service that allows you to submit files to an open source malware sandbox and search results with an account. |
|
Malware |
File Hashes |
Free malware analysis service that allows you to submit files to an open source malware sandbox and search results |
|
Malware (and more) |
File Hashes, IP addresses, Domains |
Best of breed free malware analysis service that allows you to submit files to an open source malware sandbox and search results. Users can submit URLs and files TO virustotal but this may result in tipping off adversaries to your action… Usually I recommend just passive research on VT. |
|
Domain |
File Hashes, IP address, Domains |
Search engine for threat data and open source intelligence reports and other cyber security sources |
|
URLs |
URLs |
Submit an URL and it will visit the site, take a snapshot, and analysis it to see if it is malicious. Beware of using this to analyze a link unless you are ok with tipping your hand to the adversary |
|
Search engine |
Any field |
Google. No discussion needed. However, I’d recommend disabling pre-fetch https://www.technipages.com/google-chrome-prefetch |
|
Code |
Any field |
Github is one of the largest code repositories on the internet. Often you can find interesting strings in the logs that may be in adversaries (or tool creators) Github repo. |
|
Domains, whois |
IPs, Domains, |
Best of breed for researching DNS history. For a fee, you can setup DNS branding detection and registration history of domains. |
|
BGP/ASN |
|
IPs |
Often adversaries utilize the same ASN but different IP addresses. It can be worthwhile to find “malicious” ASNs and alert on them. |
PassiveDNS and more |
IPs, Domains, Names |
Provides several different DNS research tools. Can find out registrant histories of domains. |
|
Malware |
IPs, Domains, File Hashes |
One of the largest collections of malware on the internet. Great searching capabilities. |
|
APT reports |
Any IOC or key word |
Threatminer combines different threat feeds and a searchable repository of APT reports. |
|
IP |
IPs |
Lightweight site that can quickly find out basic info regarding an IP address. |
Workflow actions in Splunk
OK, so we know where to get some great intel. Now, what are workflow actions? Workflow actions are knowledge objects in Splunk that provide you the ability to take fields within Splunk and do things with them…
- Within Splunk
- Externally with web sites, scripts or applications
For me, that usually means taking a field of interest in Splunk and searching for open source intelligence on that field/indicator. This could be everything from a MD5 hash to an IP address. My thought is, I'm going to take this step anyway so I may as well make my life easier, right?
(Learn more about workflow actions in Splunk Enterprise.)
Creating workflow actions for threat hunting
With this backdrop, how do we create workflow actions? I’m glad you asked. Select Settings – Fields – Workflow actions and click New.
This is where we make magic happen. Let’s use www.robtex.com as an example. Robtex is one of the best websites for open source intelligence of IP addresses and websites. I use it daily. If it's used EVERY day, I should probably automate it, shouldn’t I?
There are a couple of important values that need to be completed. The hints below each box are pretty self-explanatory, but make sure you place dollar signs ($) around the value that you are passing into a URI so it gets treated as a token.
Now that we have a workflow action, I can quickly pivot and look for results from robtex.com!
Notice how I have my results, click on the action next to dest_ip and see Robtex as an option to pivot to.
But wait, there’s more!
Sites performing OSINT pivots
Let’s go over a whole passel of different sites that are worth performing open source intelligence pivots to.
The screenshot below shows you how the workflow_actions.conf file looks after you create it via the GUI. In the example below, I added several new fields that are available for lookup and a special variable $@field_value$ which allows me to pass any of the available fields to Robtex. Which just goes to show… CLI>GUI :-)
With that in mind, take a look at the link.method field, here:
For many websites, that is going to be a GET since I am pulling information from the site. However, when submitting an IOC to a website, you are sending information and will need to make that a POST instead. Sometimes, sites will require a POST to get data. Crazy, huh?
Here is an example for the website iplocation.net. For those not familiar with iplocation.net, it provides the geolocation information of a domain or IP address.
To get geolocation data from the site, you will need to POST to the site. Notice that the link.method = post is defined and link.postargs.1.key and link.postargs.1.value are set for sending those values to the iplocation.net website.
Download workflow_action.conf sample
Here is the screenshot of my workflow_action.conf sample that includes many of the sources listed above. If you would like to play with it, you can download it from https://github.com/rkovar/splunk-hunting-helpers.
Thanks for visiting and happy hunting!