Get More Flexibility and Accelerated Searches with the New Endpoint Data Model

Here on the Splunk Security Research Team, we like to think of you as intrepid superheroes who tirelessly guard your companies' network perimeters against the myriad villains of the cyber universe. Our goal is to stock your digital utility belt with the newest and most lethal tools to assist you in your fight against evil.

To that end, November's Splunk Enterprise Security Content Update (ESCU) releases included some powerful updates to searches that are featured in more than 20 Analytic Stories, adapting them to leverage the new Endpoint Data Model. Read on to find out more about the benefits of this data model and why it's such a big improvement over the Application State Data Model and the Change Analysis Data Model, both of which are deprecated.

Why It's a Big Deal

Previously, many of the ESCU Analytic Stories were limited to Sysmon searches. In contrast, the fields and tags in the Endpoint Data Model describe service or process inventory and state, such as UNIX daemons, Windows services, running processes on any OS, or similar systems. In this way, it is orders of magnitude more flexible than Sysmon searches.

Another advantage of the Endpoint Data Model is speed. It allows you to take advantage of data-model acceleration to get significantly faster results.   

Before and After

Below is an example of a search, pre-Endpoint Data Model: 

The same search, adapted for the Endpoint Data Model:

Unfortunately, the Current Sysmon TA is not yet ready to support the Endpoint Data Model, but this functionality is forthcoming. To take advantage of the new Endpoint Data Model, update your Support Add-On CIM using the latest Splunk Common Information Model app (version 4.12.0) from Splunkbase. 

Developer's note: My recommendation would be to become an early adopter and start learning more about the Endpoint Data Model. One tip: make sure that the field names from your endpoint technologies are getting mapped correctly, according to the documentation. For those using TA-Microsoft-Sysmon, we will soon have a new updated version of the TA with accurate mappings to the Endpoint Data Model. — Bhavin Patel, Security Software Engineer, Splunk Security Research Team

But Wait, There's More!

The November ESCU releases also included a couple of new searches. "Detect Processes used for System Network Configuration Discovery" augments the "Unusual Processes" story. We developed this search to address the fact that attackers have a range of built-in Windows tools they leverage to ascertain the topography of a network from the point of view of a compromised machine. It looks for fast execution of processes used for system network configuration discovery on the endpoint. It returns the number of times, as well as the first time and last times, that every process has run for each endpoint. Once you have come up with a list of suspicious process launches for each destination, you can leverage the "transaction" command to see what processes are fired within a five-minute span on an endpoint and detect only those events where the count of these processes is greater than five.

To implement this search, you must be ingesting data that records registry activity from your hosts to populate the Endpoint Data Model in the processes node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report reads and writes to the registry or that are populated via Windows event logs, after enabling process tracking in your Windows audit settings.

Another new search released in November was "Child Processes of Spoolsv.exe" in the "Windows Privilege Escalation" Analytic Story. It monitors for and investigates activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as “System.”

To leverage this search, you must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

You Know You Want It

Ready to check out all of the new updates? Of course you are! Go download and install it from Splunkbase today.