Skip to content

Commit

Permalink
added formating and added to nav
Browse files Browse the repository at this point in the history
Signed-off-by: Zachary Christensen <zchristensen@splunk.com>
  • Loading branch information
ZachTheSplunker committed Dec 6, 2023
1 parent 64e0d81 commit 84e26f3
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 19 deletions.
8 changes: 8 additions & 0 deletions docs/searches/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,11 @@ ADDITIONALLY, this frees risk_message to be used as a short and sweet summary ra
## [Risk Notable History](./risk_notable_history.md)

Tyler Younger from the RBA Slack contributed this handy method for including some useful history of risk notables for that risk object when it fires. I played with it a bit and created a version I might use in a dashboard for additional context. You should check with your analysts to see what would be most helpful for them.

## [Threat Object Prevalence](./threat_object_prevalence.md)

One of the great features in RBA is knowing how often something has occurred in an environment; generally, the more rare or anomalous something is, the more likely it is to be malicious. The threat object drilldown in the sample [Risk Investigation Dashboard](https://splunk.github.io/rba/dashboards/risk_investigation/){ target="blank" } is designed to offer an analyst that context, but with a simple saved search, we could use that context in our Risk Notables as well.

## [Threat Object Types](./threat_object_types.md)

Increasing the number of threat object types you track in Risk Rules can be really helpful for tuning noisy alerts, threat hunting on anomalous combinations, and automating SOAR enrichment to unique threat object types. Haylee and Stuart's [Threat Object Fun dashboards](https://splunkbase.splunk.com/app/6917){ target="blank" } can be helpful for all three.
15 changes: 8 additions & 7 deletions docs/searches/threat_object_prevalence.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Threat Object Prevalence
# Threat Object Prevalence

One of my favorite features in RBA is knowing how often something has occurred in an environment; generally, the more rare or anomalous something is, the more likely it is to be malicious. The threat object drilldown in the sample [Risk Investigation Dashboard](https://splunk.github.io/rba/dashboards/risk_investigation/) is designed to offer an analyst that context, but with a simple saved search, we could use that context in our Risk Notables as well.
One of my favorite features in RBA is knowing how often something has occurred in an environment; generally, the more rare or anomalous something is, the more likely it is to be malicious. The threat object drilldown in the sample [Risk Investigation Dashboard](https://splunk.github.io/rba/dashboards/risk_investigation/){ target="blank" } is designed to offer an analyst that context, but with a simple saved search, we could use that context in our Risk Notables as well.

## Create a Saved Search
## Create a Saved Search

You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently over a long timeframe. Create a new saved search with this logic:
You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently over a long timeframe. Create a new saved search with this logic:

```shell linenums="1"
| tstats summariesonly=t count dc(All_risk.risk_object) as dc_objects earliest(_time) as first_time latest(_time) as last_time from datamodel=Risk.All_Risk by All_Risk.threat_object
Expand All @@ -13,11 +13,11 @@
| outputlookup threat_object_count.csv
```

You might want to include more details here, like lists of searches that fired this threat object and so on.
!!! note "You might want to include more details here, like lists of searches that fired this threat object and so on."

## Incorporating into Risk Notables

Because of potential overlaps in multi-value fields for threat object, we need to change our initial `tstats` logic to keep them separate until after we enrich. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md) Risk Incident Rule with some modifications:
Because of potential overlaps in multi-value fields for threat object, we need to change our initial `tstats` logic to keep them separate until after we enrich. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md){ target="blank" } Risk Incident Rule with some modifications:

```shell linenums="1"
| tstats `summariesonly`
Expand Down Expand Up @@ -46,4 +46,5 @@ from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type,

We have to keep in mind order of operations to ensure our logic continues working as intended. I took out the `values()` piece for threat_object, and add it to the `BY` clause so we keep things separate while we enrich with our lookup. Then I utilize that information to adjust the risk score of events which happen a lot, especially when observed on multiple machines. Finally I wrapped it back up with `stats` to utilize our score stacking logic again, now informed by our threat object prevalence adjustments.

<<potentially an image here to show the adjusted scores after threat object changed them?>>
<!-- TODO:
potentially an image here to show the adjusted scores after threat object changed them? -->
22 changes: 14 additions & 8 deletions docs/searches/threat_object_types.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
# Additional Threat Object Types

Increasing the number of threat object types you track in Risk Rules can be really helpful for tuning noisy alerts, threat hunting on anomalous combinations, and automating SOAR enrichment to unique threat object types. Haylee and Stuart's [Threat Object Fun dashboards](https://splunkbase.splunk.com/app/6917) can be helpful for all three.
Increasing the number of threat object types you track in Risk Rules can be really helpful for tuning noisy alerts, threat hunting on anomalous combinations, and automating SOAR enrichment to unique threat object types. Haylee and Stuart's [Threat Object Fun dashboards](https://splunkbase.splunk.com/app/6917){ target="blank" } can be helpful for all three.


## Threat Object Types

Some potential threat_object_types to keep in mind when creating risk rules:

source | threat_object_type
------ | ------------------
email, endpoint, network, proxy | ip
email, endpoint, proxy | src_user
email, endpoint, proxy | user
Expand Down Expand Up @@ -34,11 +38,13 @@ proxy | certificate_unit
proxy | http_referrer
proxy | http_user_agent

You could also use open-source server handshake hashing algorithms like [JA3](https://github.com/salesforce/ja3), [JA4](https://github.com/FoxIO-LLC/ja4), [JARM](https://github.com/salesforce/jarm), or [CYU](https://github.com/salesforce/GQUIC_Protocol_Analyzer) to identify anomalous server handshakes and potentially include:
## Other Types

You could also use open-source server handshake hashing algorithms like [JA3](https://github.com/salesforce/ja3){ target="blank" }, [JA4](https://github.com/FoxIO-LLC/ja4){ target="blank" }, [JARM](https://github.com/salesforce/jarm){ target="blank" }, or [CYU](https://github.com/salesforce/GQUIC_Protocol_Analyzer){ target="blank" } to identify anomalous server handshakes and potentially include:

ja3_hash
ja3s_hash
ja4_hash
jarm_hash
cyu_hash
asn
- ja3_hash
- ja3s_hash
- ja4_hash
- jarm_hash
- cyu_hash
- asn
9 changes: 5 additions & 4 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,8 @@ markdown_extensions:
- pymdownx.critic
- pymdownx.details
- pymdownx.emoji:
emoji_index: !!python/name:materialx.emoji.twemoji
emoji_generator: !!python/name:materialx.emoji.to_svg
emoji_index: !!python/name:material.extensions.emoji.twemoji
emoji_generator: !!python/name:material.extensions.emoji.to_svg
- pymdownx.highlight:
anchor_linenums: true
line_spans: __span
Expand Down Expand Up @@ -119,6 +119,8 @@ nav:
- Risk Incident Rules: searches/risk_incident_rule_ideas.md
- Risk info field: searches/risk_info_event_detail.md
- Risk Notable History: searches/risk_notable_history.md
- Threat Object Prevalence: searches/threat_object_prevalence.md
- Threat Object Types: searches/threat_object_types.md
- Dashboards:
- dashboards/index.md
- ATT&CK Matrix Risk: dashboards/attack_matrix_risk.md
Expand All @@ -129,5 +131,4 @@ nav:
- Risk Notable Analysis: dashboards/risk_notable_analysis_dashboard.md
- Contributing:
- Contributing Guidelines: contributing/contributing-guidelines.md
- Contributors: contributing/contributors.md

- Contributors: contributing/contributors.md

0 comments on commit 84e26f3

Please sign in to comment.