HERO - Hunting Extension for Risk Objects in Splunk

Introduction

The Hunting Extension for Risk Objects (HERO) is a Splunk app designed to streamline security investigations by attributing events to individual users or hosts. HERO dashboards ensure that all results are broken down so that only one user and/or one host appears per result. This simplifies the investigative process, making it easy for analysts to identify key actors and hosts in security incidents. The app utilizes Digest, Overview, and Summary panels to provide detailed listings, high-level aggregations, and statistical breakdowns. HERO’s shared input variables allow for a seamless and dynamic filtering experience across multiple panels, correlating data effectively.

Although the full code for the dashboards cannot be shared here due to security concerns, the steps to recreate them are outlined in this guide. By manually adapting HERO to your environment, you’ll not only ensure it fits your security needs but also develop a deeper understanding of the data sources and logs in your SIEM.

Objectives of HERO

• Event Attribution: Attribute events to individual users or hosts.
• Clear and Organized Data: Ensure that each result has one user and/or one host per result.
• Comprehensive Data Coverage: Include all relevant data sources in security investigations.
• Dynamic Input System: Use shared input variables to apply consistent filtering across multiple queries and panels.
• Three Panel Types: Provide Digest, Overview, and Summary views for granular, high-level, and statistical insights.

1. Data Discovery - Enumerating Indices and Sourcetypes

The first step is to manually discover and categorize relevant data sources to ensure full visibility into the security landscape. This process helps reveal what data is available in your environment and can also highlight gaps in logging that may prevent comprehensive investigations. Identifying missing data sources or incomplete logs is essential to ensure that all critical events are captured and can be properly attributed.

Example Query for Enumeration:

index=* | stats count by index sourcetype

This query identifies and categorizes all available indices and sourcetypes in Splunk, ensuring comprehensive coverage for your investigation. It’s important to manually investigate the returned results to identify valuable fields.

For example, the dashboards I’ve built—such as Security Alerts, Endpoint Telemetry, Authentication, Email, Cloud Activity by Provider, Network Telemetry, Sandbox Results, and Vulnerabilities—all depend on understanding specific fields like host, user, and IP attribution, as well as key payload data such as command-line arguments or filenames. Mapping this data ensures HERO is tailored to your environment and provides the necessary insights for security investigations.

2. Data Segmentation - Breaking Out Event Categories

The next step is to segment the data into key categories that align with the themes of your security investigations. This ensures each event is broken down so that each line is attributable to a single user or host, making it easier to investigate and respond to incidents effectively.

In my environment, relevant categories are based on the types of data sources used in specific dashboards. Examples of these categories include:

• Security Alerts: Tracks and logs critical security alerts from various sources, including SIEM, IDS/IPS, and antivirus solutions.
• Endpoint Telemetry: Monitors endpoint activity, tracking process creation, execution, and key system events, ensuring visibility into potential threats.
• Authentication Events: Logs user authentication activities such as login attempts, session duration, and suspicious authentication behaviors.
• Email: Tracks email-related activities including inbound and outbound emails, attachments, and indicators of potential phishing or malware.
• Cloud Activity by Provider: Monitors activity in cloud environments (e.g., AWS, Azure, GCP), logging API calls, administrative actions, and user activity.
• Network Telemetry: Tracks network connections, logging IP-to-IP communications, session duration, and suspicious traffic patterns.
• Sandbox Results: Logs the outcome of malware sandbox analysis, tracking indicators such as file hashes, execution behavior, and network activity during sandboxing.
• Vulnerabilities: Provides a view of system and software vulnerabilities, logging scan results, patch status, and remediation progress.

Each of these categories helps to ensure that data is segmented in a meaningful way, making it easier to drill down into specific events, attribute actions to individual users or hosts, and identify threats across various domains in your environment.

3. Digest, Overview, and Summary Panels

Digest Panels

Digest panels provide a detailed listing of events, ensuring that each result is broken down to one user and/or one host per line.

Example Digest Query:

index="endpoint_telemetry" (($Input1$) $andor1$ ($SID$) $andor2$ ($Input2$) $andor3$ ($AID$)) earliest=$time.earliest$ latest=$time.latest$ 
| rename SHA256HashData as submission_sample_sha256 
| join submission_sample_sha256 [search index="soc_sandbox" sourcetype="sandbox:submission"] 
| eval Sample=mvappend('submission_original_url','submission_filename') 
| rename submission_id as ID 
| rename submission_sample_sha256 as SHA256 
| rename submission_webif_url as Report 
| rename submission_user_email as user 
| rename submission_ip_ip as src_ip 
| rename submission_score as score 
| rename submission_type as type
| rename submission_status as status
| rename submission_verdict as verdict 
| rename submission_created as created
| stats count by ID Sample created verdict score SHA256 Report status type src_ip user 
| search NOT Sample=null NOT Sample="sample.url"

Overview Panels

Overview panels provide aggregated, high-level insights. These panels summarize events by user or host, ensuring that only one unique user or host is represented per line.

Example Overview Query:

index="endpoint_telemetry" (($Input1$) $andor1$ ($SID$) $andor2$ ($Input2$) $andor3$ ($AID$)) earliest=$time.earliest$ latest=$time.latest$
| eval _time=floor(_time)
| fillnull value="Unknown" GrandParentBaseFileName
| rename ParentBaseFileName as Parent
| rename process_exec as Process
| eval Actor=coalesce(UserName,UserSid,user)
| eval Computer=coalesce(ComputerName,ClientComputerName,aid)
| fillnull value="UNKNOWN" Actor Computer
| stats earliest(_time) as Earliest, latest(_time) as Latest, count by Computer, Actor, CommandLine, Process, Parent
| convert ctime(Earliest), ctime(Latest)
| sort - Latest desc

Summary Panels

Summary panels display distinct counts and key statistics for users or hosts. These panels ensure that results show one user or one host per line with statistical breakdowns.

Example Summary Query:

index="endpoint_telemetry" (($Input1$) $andor1$ ($SID$) $andor2$ ($Input2$) $andor3$ ($AID$)) earliest=$time.earliest$ latest=$time.latest$
| stats dc(process_exec) as UniqueProcesses, values(Actor) as Actors, count by Computer

4. Shared Input Variables for Correlated Data

HERO’s use of shared input variables across panels is crucial for correlating data effectively. By passing consistent filters through each panel, HERO ensures that all displayed data is relevant and filtered in the same way across the board. This design makes the dashboards highly intuitive, as filtering is applied once and reflected across all panels.

Example of Shared Inputs:

<input type="text" token="Input1" searchWhenChanged="false">
  <label>(Input1) - Keyword Query</label>
  <default>#HERO#</default>
</input>

<input type="radio" token="andor1">
  <label></label>
  <choice value="OR">OR</choice>
  <choice value="AND">AND</choice>
  <initialValue>OR</initialValue>
</input>

<input type="multiselect" token="SID">
  <label>(SID)</label>
  <fieldForLabel>Actor</fieldForLabel>
  <fieldForValue>UserSid</fieldForValue>
  <search>
    <query>index="endpoint_telemetry" $autores$ earliest=$time.earliest$ latest=$time.latest$ 
    | eval Actor=coalesce(UserName,user,UserSid) 
    | fillnull value="UNKNOWN" Actor 
    | stats count by UserSid Actor</query>
  </search>
  <delimiter> OR </delimiter>
  <choice value="#HERO#">#HERO#</choice>
  <default>#HERO#</default>
  <prefix>(</prefix>
  <suffix>)</suffix>
</input>

<input type="multiselect" token="AID">
  <label>(AID)</label>
  <fieldForLabel>Computer</fieldForLabel>
  <fieldForValue>aid</fieldForValue>
  <search>
    <query>index="endpoint_telemetry" $autores$ earliest=$time.earliest$ latest=$time.latest$
    | eval ComputerID=coalesce(ComputerName,ClientComputerName) 
    | eval Computer=(ComputerID+"-"+aid) 
    | stats count by aid Computer</query>
  </search>
  <delimiter> OR </delimiter>
  <choice value="#HERO#">#HERO#</choice>
  <default>#HERO#</default>
  <prefix>(</prefix>
  <suffix>)</suffix>
</input>

5. Show/Hide Panels and Progress Spinners

HERO incorporates dynamic show/hide panels and progress indicators to enhance user experience. These features ensure users can interact with the dashboards while background queries are processing, improving both usability and feedback.

Show/Hide Panels: Panels are displayed only when results are available.

Progress Spinners: Visual indicators show when queries are running, providing immediate feedback to the user.

Example Query with Show/Hide Panels:

<table depends="$panel_showprod$">
  <search>
    <progress>
      <condition match="'job.resultCount' > 0">
        <set token="panel_showprod">true</set>
      </condition>
      <condition>
        <set token="showSpinnerprod">true</set>
      </condition>
    </progress>
    <done>
      <unset token="showSpinnerprod">true</unset>
    </done>
  </search>
</table>

Example Progress Spinner:

<html depends="$showSpinnerprod$">
  <style>
    .loadSpinner {
      margin: 0 auto;
      border: 5px solid #FFF;
      border-top: 5px solid #3863A0;
      border-radius: 50%;
      width: 20px;
      height: 20px;
      animation: spin 1s linear infinite;
    }
    @keyframes spin {
      0% { transform: rotate(0deg); }
      100% { transform: rotate(360deg); }
    }
  </style>
  <div class="loadSpinner"/>
</html>

These mechanisms enhance user interactivity by providing clear indicators of query progress and ensuring panels only appear when relevant results are available.

Key Design Principles

1. Event Attribution: HERO is focused on attributing events to individual users or hosts, with each result broken down into one user or host per line.
2. Shared Inputs: These input variables ensure intuitive user interaction by applying filters across all panels dynamically.
3. Comprehensive Data Coverage: HERO ensures all relevant data sources are covered.
4. User-Friendly: The shared inputs and clear breakdown of data make HERO accessible to analysts at all levels.

Conclusion

HERO is an innovative solution that ensures precise event attribution, correlating data dynamically through shared input variables. With its three-layered approach of Digest, Overview, and Summary panels, HERO enables analysts to track and identify key actors and events with ease. By leveraging shared inputs and intuitive dashboards, HERO streamlines security investigations while ensuring complete coverage of relevant data sources.