Skip to main content

General Documents

Splunk Retrospective Search Threat Hunting

Abstract

Download PDF

Category: Analytics and SIEM

Cyware Products Used:

  • Cyware Fusion and Threat Response: Fusion and threat response solution to manage the incidents, investigate, and respond automatically using cyber fusion-powered collaboration between your internal security teams.

  • Orchestrate (CO): Security Orchestration solution to manage the playbook and third-party integrations.

Third-Party Integrations Used:

  • Splunk SIEM: Security information and event management (SIEM) tool to retrieve alerts.

Problem Statement

Security analysts perform threat hunting to proactively identify unknown threats within an organization's network. To perform threat hunting, security analysts leverage threat intelligence data from various sources, correlate them together for analysis, make the intel relevant, and forward the findings so that the threat can be proactively blocked in their network. In reality, analyzing large number of intel feeds received from internal and external sources is challenging.

Solution

The Cyware Fusion Center uses the Splunk Retrospective Search playbook to solve this problem and automatically onboard SIEM alerts.

Splunk SIEM solution detects unusual behavior on the network by aggregating and correlating event data across disparate sources within your network infrastructure, including servers, systems, devices, and applications, end users, including cloud, hybrid environments, and on-premises environments. The Splunk Retrospective Search playbook queries the Splunk SIEM for any mentioned index and retrieves the details. The queries can be customized to look for IOCs in events from different sources to Splunk. The detection details are updated to the respective CFTR incident.

Splunk_Retrospective_Search.svg

How do we solve this problem?

  1. Retrieve the latest alerts: The Splunk Retrospective Search playbook queries the Splunk SIEM for any mentioned index and retrieves the details. If no detections are found in Splunk, the playbook will close after sending a notification to the security teams.

  2. Create an Attachment: The playbook creates an attachment file containing the indicators and details identified in the Splunk SIEM retrospective search.

  3. Update CFTR Incident: The attachment file is added to the incident. The playbook also includes the detection details such as the malicious indicator from Splunk SIEM as a note to the CFTR incident.

  4. Connect the Dots: The playbook connects the dots to uncover correlations between isolated threats and incidents. Additionally, the playbook also searches for the affected user in CFTR and connects it to the incident. If no user is found, it creates a new user and connects the user with the incident.

  5. Ready for Investigation: The incident is now enriched with Splunk SIEM along with the detection details. Analysts can pick the incident for investigation and response.

Benefits

Singular View of Threats

Security teams can perform automated threat hunting by searching for IOCs in the Splunk SIEM events and bring them together into a single page to investigate and remediate incidents.

Faster incident response

SOAR solutions when combined with SIEM tools can reduce the mean time to detect (MTTD) and mean time to respond (MTTR). Because many actions are automated, a large percentage of incidents can be investigated immediately and automatically.

Proactive Threat Hunting

The solution serves security analysts effectively in the automatic detection of malicious events resulting in proactive threat hunting.