See how the Splunk App for Enterprise Security 3.0 lets you interactively examine security event patterns and create visual correlations.
Hi, I'm Mark Seward, and I have Vijay Chauhand and Jack Coates with Splunk here. We're going to take a look at some new features of Enterprise Security 3.0, one called the Asset Investigator. And I think Jack is going to kick us off by sort of walking us through the feature and sort of getting us there.
Absolutely. Thanks, Mark. So here we are looking at a notable event that's been raised by a correlation search. And we can see we've got some concerning behavior from a particular asset in our environment. So I want to take a look at the Asset Investigator view for this IP address and find out what's been happening.
So I'm going to launch Asset Investigator from that context menu. And the first thing that happens is the system goes through all of the sources of asset information that it's been handed. That might be Active Directories, CMDBs, LDAP servers, IAM systems. And it pulls together a listing of IP addresses and names and MAC addresses that might be associated with this particular asset.
And all that's represented in the top window here.
It's represented in the top window, and it's also used to search these various event type lanes down here.
And I see those beginning to populate. So in other words, I've got a number of searches that are sort of running here in the background populating various parts of swim lanes, right?
That's right. So within this time range of 24 hours, we can see across the bottom the type of behavior patterns that have been happening over 24 hours. And within the 3 and 1/2 hours or so that I'm looking at, I actually have got a breakdown in buckets of every type of event that has occurred with this system.
And you can kind of customize which swim lane is the top. I know I tend to like malware attacks at the top. So I don't know if there's a--
Yes, we can rearrange that like this just to get to the visual correlation that makes sense for us. And sure enough, we can get some interesting patterns here. So we can click on some of these events and see what kind of things might be happening in the system.
Now, I notice as you click through these events, it sort of builds a storyboard off to the right hand side that involves these events in that particular time window, which looks like about what, 5:15 to 5:30-ish? Right around in there.
In fact, I think-- I'm just looking at the story board-- I can get the exact time that's involved at the very top, which is 5:12 to 5:20. That's about eight minutes. I've got 26 events. And what kind of story can we pick out from the storyboard here?
Well, I think we can see that we've had some malware get into this system, make changes to the registry or make changes to the file system. It has generated some threat list activity out to known bad locations. And the authentication behavior has gone off the rails. So this system is now reaching out to a lot of other systems and attempting to spread whatever kind of bad news it's picked up here.
So I've got a couple of sources that are involved with 10.11.36.20. So I've got the source. The source is talking to all of these destinations. It's attacking those systems using those particular signatures. And then these particular actions are being performed. So I have that clue story we've talked about.
That's right. Professor Plum in the library with the lead pipe.
Right. Yeah. So what else can I do from here that's going to help me with the investigation?
So we have a couple of choices. We can send this off to another analyst to look at with exactly the story that we've selected, or we can go look at the raw events. So we can actually drill right down to the raw events that have led us to this decision.
Great. So what I think has happened here is Splunk has built a very complex search on my behalf without me having to go in and write any of this. And I notice that the term data model is used throughout this. Can you talk a little bit about that?
Absolutely. So data models are how we implement our common information model that allows us to actually provide schema-time, on the fly parsing. So at search time, we're able to make a decision about whether something is an attack or a malware, IDS event, anything of that sort. And that way, I don't have to actually think about whether I'm looking at net flow data or I'm looking at Juniper data or Windows event logs. I'm just asking for authentication or IDS behavior.
So to finish off my investigation, I'm really looking at the 74 events that were on my storyboard. And I'm going through the raw log data looking chronologically at what happened first, second, and third across that time span so I can begin to sort of suss out what occurred. Is that right?
That's right. We've gone from an analytics tool-- sorry, we've gone from a notable event to an analytics tool that has brought us straight to raw data. So I'm able to take forensic action now.
Well, thanks for the overview of the Asset Investigator, Jack.