11/10/2023 0 Comments Splunk enterprise security splunkbaseThis supporting information includes the history related to this event and user, the phase of the Mitre Attack Kill Chain, tactics and techniques used along with a description to help the security analyst understand what needs to be done. In Splunk, visibility into the SAP application and the reported attack is found along with additional information which is correlated in Splunk Enterprise Security. Information is available related to activities regarding this endpoint, IP addresses and current threats or active compromise in the environment.Īdditional information, including a risk score to prioritize the event, can be found in the Splunk Enterprise Security solution. This information is now able to be correlated with Splunk Enterprise Security. Splunk Enterprise Security pulls in the information from the Alert and incorporates this information into the Splunk Enterprise Security in the Incident Review area: Here we can see that the information sent to Splunk Enterprise Security includes the Alert Identifier, the Attack Detection Pattern that was triggered that would be of interest to Splunk, the timestamps, severity level, terminal id and more. In this case, a fully formed JSON record was published to Splunk Enterprise Security: Enterprise Threat Detection supports JSON, CEF, or LEEF formats. These details will be published through the alert publishing feature to Splunk Enterprise Security. In Enterprise Threat Detection, we can see that the initiator, WDFN33984083A was able to access monitored data (sensitive data which turned out to be intellectual property – the pump architecture plans) and was able to download data as a result of the successful brute force attack: We also see the system that was acted upon identified as System ID, Actor and System ID Y13/222. We can also see the network host name initiator – WDFN33984083A who is the bad actor in this case. We can see here that the alert has a unique identifier and was triggered due to the Brute Force Attack Detection Pattern. When an attack detection pattern is triggered in Enterprise Threat Detection, an alert is issued with an alert identifier – it looks like this: First, let’s look at an alert published by Enterprise Threat Detection to Splunk. Here is how an alert from Splunk looks in Enterprise Threat Detection: There is also an out of the box connector available to Enterprise Threat Detection from Splunk Enterprise Security when it finds suspicious behavior at the infrastructure layer. This announced connectivity is an added feature that provides two-way communication with the publishing of an alert to Splunk Enterprise Security for further investigation into the event at the infrastructure level. This out of the box connector can be easily set up in Enterprise Threat Detection and Splunk in order to facilitate collaboration between the SAP Security teams and the Splunk Enterprise Security teams as described in my earlier blog, dated November 21, 2019. Of interest to those customers currently using Splunk Enterprise Security, the recent announcement included a new feature in ETD 2.1 to issue alerts to Splunk Enterprise Security for real time collaboration between SAP Security teams using Enterprise Threat Detection and IT Security teams using Splunk Enterprise Security. The announcement of the newest version Enterprise Threat Detection 2.1 was made on Decemin a recent blog by Michael Schmitt, the Enterprise Threat Detection Product Manager.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |