Security Content from the Splunk Threat Research Team

Detection engineering and threat research teams play a crucial role in ensuring the security of an organization by detecting and responding to potential threats. However, with the growing number of security incidents and the increasing complexity of security systems, it can be challenging for these teams to operate efficiently. This blog outlines the approach that the Splunk Threat Research Team (STRT) uses to develop Splunk Security Content and the ways that customers can take advantage of security content using the Enterprise Security Content Update (ESCU) App to improve detection engineering efficiency.

The post also discusses the new features introduced in Security Content v4.0 to optimize the threat research and detection engineering process. By implementing these strategies and best practices, organizations can ensure that their detection engineering teams are well-equipped to respond to threats. Whether you are a detection engineer, security analyst or a team leader, this blog post provides valuable insights into how to improve the efficiency of your detection engineering team.

STRT Approach to Detection Engineering

The STRT is a group of experts that constantly monitors the threat landscape, identifies emerging threats, and develops new detections to protect Splunk customers. To accomplish this, the team has developed a detection engineering process that consists of five steps: study threats, create datasets, build detections, test detections, and release.

Study Threats

The first step in the detection engineering process is to study threats. This involves analyzing threat intelligence reports, reading security blogs and forums, and keeping up to date with the latest attack techniques. By doing this, the team can identify emerging threats and understand how they operate. This information is critical for building effective detections that can identify and stop attacks before they can do any damage.

Create Datasets

Once the team has identified a threat, the next step is to create a dataset. A dataset is a collection of data that the team can use to develop detections. This data might include network traffic logs, endpoint logs, and other types of data that are relevant to the threat. STRT uses the Attack Range to build a detection engineering lab environment and stores the datasets in the open source Attack Data project. The team uses powerful search and analysis capabilities of the Splunk Platform to parse the data and identify patterns that can be used to detect the threat.

Build Detections

With a dataset in hand, the team can start building detections. Detections are rules or queries that are designed to identify specific activities associated with a threat. For example, a detection might look for a specific sequence of commands in network traffic logs that indicate an attacker is attempting to exploit a vulnerability. Detections can be highly targeted, looking for specific indicators of compromise, or they can be more general, looking for patterns of behavior that are associated with a particular threat. The detections written by the security experts from STRT can be explored here.

Test Detections

Before releasing detections to customers, the team tests them to ensure that they are effective and accurate. This involves running the detections against a test dataset that simulates the behavior of an attacker. The team carefully evaluates the results of the test, making adjustments as necessary to improve the detection's accuracy and reduce false positives. You can try it out yourself by using contentctl, which makes detection testing easy.

Release

The final step in the detection engineering process is to release the detections to customers. This involves packaging the detections developed in Security Content into the Splunk ESCU App that can be easily deployed to customer systems. The team works closely with Splunk engineering and support teams to ensure that the update is released smoothly and that customers have access to the latest and most effective protections against emerging threats.

By using the detections packaged in the ESCU App and Splunk Enterprise Security, customers can significantly enhance their organization's security posture and better protect against potential threats. With the ability to quickly and easily deploy these detections, teams can stay ahead of the latest attacks and respond to potential threats before they can do any damage.

So, if you're looking for a comprehensive and effective way to enhance your organization's security, consider using detections built by the Splunk Threat Research team and packaged in the ESCU App. By taking this proactive step, you can help ensure the safety and security of your organization's data and assets.

In order to develop and maintain the over 1200 high-quality detections in the ESCU app, the STRT detection engineering approach is constantly improved and optimized for efficiency. As part of that improvement process, Splunk has released the 4th version of Security Content.

What Is New in Security Content v4.0?

With ESCU and Security Content, we strive to make our detections as useful and efficient as possible for Splunk customers. To that end, we leverage the Common Information Model (CIM) wherever possible, which has been appreciated by many users. However, we understand that some customers may prefer to use the field names of the original log in their detections. For example, they may want to reference the CommandLine field in a Sysmon Event ID 1 event. To address this feedback, we use Sigma to convert our detection logic into different variations, allowing users to choose the version that best suits their needs. With this approach, we can provide both the benefits of the CIM and the flexibility to use original log field names, all without sacrificing the quality of our detections. We are constantly working to improve the experience of our customers, and we appreciate all feedback and suggestions.

Sigma Rule Logic

Sigma is a versatile and open signature format that provides an intuitive way to describe relevant log events. This makes it an invaluable tool for security professionals looking to create or enhance their detection capabilities. In Security Content, we recognize the importance of providing our customers with options that best fit their needs. That's why we've incorporated Sigma into our workflows, allowing us to easily convert detections between different normalization schemas.

In our latest release, Security Content v4.0, we have leveraged Sigma to streamline this process. Specifically, we can convert detections created in Sigma format to detections that use CIM. This makes it easier for users to benefit from the CIM structure and naming conventions while still being able to use detections created in Sigma format.

A detection written using Sigma format can be converted into a detection leveraging CIM:

The same Sigma detection can be converted to a detection using raw field names:

Another feature allows the conversion of detections developed using Sysmon Event Code 1 data to a detection using Windows Event Code 4688 data with command line logging enabled:

We are committed to using the latest and most effective technologies to help our customers stay secure, and by using Sigma in this way, customers have greater flexibility and a wider range of options when it comes to detecting and responding to security threats. 

Further Improvements

With Security Content 4.0, the following improvements will also be included in all future detections:

• Atomic Red Team GUID reference in tags section: A detection developer can reference the GUID of a specific atomic to the detection yml in security content.
• Drill down searches for detections in tags section: Drill down searches help you to get more information about the triggered event

Try It Out Now

Take action today to significantly enhance your organization's security posture and better protect against potential threats! By using the powerful detections packaged in the ESCU App and Splunk Enterprise Security, you can stay ahead of the latest attacks and respond to potential threats before they can do any damage.

With over 1200 high-quality detections available, the ESCU App is a comprehensive and effective way to enhance your organization's security. By deploying these detections quickly and easily, you can take a proactive step in ensuring the safety and security of your organization's data and assets.

However, it's important to note that maintaining such a large number of detections requires a robust detection engineering approach that is constantly improved and optimized for efficiency. So, don't delay - start using the ESCU App today to help safeguard your organization's security!

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the following for their contributions to this post: Patrick Bareiss, Eric McGinnis, Bhavin Patel, Teoderick Contrera, Michael Haag, Mauricio Velazco, Rod Soto, Lou Stella.