Using Watchlists to Your Advantage

The Splunk App for Enterprise Security comes with correlation searches that generate notable events. The correlation search for Watchlisted Event Observed is a great template for generating notable events for specific watch lists. You can setup watchlist tags to generate notable events from specific security concerns, such as a missing laptop or suspicious domains.

The correlation search for Watchlisted Event Observed is:

tag=watchlist NOT sourcetype=stash | `get_event_id` | `map_notable_fields`

Make your operations security staff happy and use this correlation search as a template to create other correlation searches for specific watchlists. These new watchlists for other notable events have more context as a result.

To do this, disable the Watchlisted Event Observed correlation search if you have it enabled (it’s disabled by default). Then copy the Watchlisted Event Observed search to a more useful correlation search for the specific watchlists you’re using. Let’s use Watchlisted Asset Observed. In addition to that, you want to setup your tags.

In /splunk/etc/apps/SplunkEnterpriseSecuritySuite/local/tags.conf, we can set up our tags to recognize a stolen laptop by its hostname or MAC address. And if either are logged, then Splunk will bring up all events related to that host or MAC address. A MAC address is especially useful for laptops since the hostname is most likely assigned by DHCP.

stolen = enabled

Now you can modify the Watchlist Asset Observed correlation search to generate a notable event for that stolen laptop. The changes for the new correlation search would look like this:

Correlation Search Name: Stolen Laptop Seen
Domain: Threat
Application Context: SA-ThreatIntelligence
Correlation Search Description: This rule triggers whenever an event is discovered with the tag of “stolen”. Currently, that is tagged by the MAC address for identifying laptops.
Search: tag=stolen NOT sourcetype=stash | `get_event_id` | `map_notable_fields`
Rule Description: A stolen laptop was seen by an $orig_sourcetype$ event observed from $orig_host$. This event may have a high priority and ought to be investigated.

Incident Review with New Watchlist Rule

One last thing, if you add those MAC addresses to assets.csv you can set a priority value on them, which will cause the Urgency field to be set higher if the stolen asset is critical.

Posted by