Watch this demo of the Splunk Enterprise Security incident review framework to learn how you can detect, analyze and respond to security incidents and threats.
Splunk Enterprise Security allows security analysts to understand the situational status associated with security events and incidents in order for them to make a fast decision to qualify. Let's look at an incident from Enterprise Securities Incident Review Interface. We are looking at a host with multiple correlations search matches that looks concerning. By expanding a notable event, in this case malware activity, we are able to see the various enriched context information about this event associated with potentially an incident.
First, we see a very detailed description about exactly what this event is all about. There seems to be malware activity followed by unusual activity by user Chris [? Marino, ?] and user Chris [? Marino ?] is involved in a sequence of events indicating download data from a malicious domain, followed by an unusual internal activity suggesting further investigation for possible infection. For additional detailed context, we see that this rule recommends disabling user account and further investigate.
Further down, ES presents critical information an analyst needs to qualify and investigate. Starting with devices associated with this event, we see that there are two internal IPs associated with this incident-- 10.10.41.200 and 10.11.36.20, which is indicative of the internal anomaly traffic hosts. We now know that the unusual internal activity from event description involves these two internal IPs and the external IP 126.96.36.199, and is the external IP where Chris interacted to download data.
For each IP, ES automatically looks up asset information for that IP. So the analyst can immediately understand the owner, location, and functions for each IP. There is no need to look up asset database. This information is critical to understanding the situational context, as well as prioritizing the investigations incident. In this case, selected 10.11.36.20 host belongs to Chris [? Marino ?] from America's Business Unit located in San Jose, USA. And it belongs to PCI zone, so it needs to be looked at with higher priority than normal workgroup attached host.
If there are any user IDs involved with an incident, ES presents that information, as well. As you see in this incident, Bill Williams and Chris [? Marino ?] user IDs are involved. Lastly, next to each IP, risk score is presented. ES's risk framework provides the risk contrast amongst different assets based on the information ES has about the IPs and users. These risk scores are measured based on some of different events that are outstanding for each IP or the user.
In this case, IP 10.10.41.200 has the highest score. Because there are more outstanding events associated with this IP, that makes this IP stand out. Also, there is a contrast of users, Chris [? Marino ?] versus Bill Williams, because 10.10.41.200 IP with highest score is owned by Chris.
Splunk Enterprise Securities context enrichment empowers tier 1 analysts to make easy and immediate decisions to further pursue detailed investigation based on the facts that ES pulls together from different sources of data. Based on reviewing the incident that ES curated for us, we need to quickly analyze the external IP 188.8.131.52 by looking at domain dossier. This kind of workflow is implemented and customizable within ES.
As default, we can access action of the external IP field and kick off a domain dossier verification. It looks like this IP is communicating with the domain in Slovakia, which is very suspicious. Finally, to assess the type of different activities that our internal host is initiating, we can kick off an asset investigation search for 10.11.36.20 IP that downloaded data from the suspicious domain.
Asset investigator shows various activities that this potentially infected host has been doing in various security domains, such as authentication, access, traffic, and endpoint. We have enough information to qualify this incident. So we take the ownership of this event, as well as start an investigation case.