We'll be coving the latest and greatest updates to Phantom (SOAR Platform), the ins-and-outs of the new Endpoint Data Model and what you can use it for and finally showcase some of the awesome beta features just released as part of the Splunk Security Essentials App which includes MITRE ATT&CK and Kill Chain Mappings!

1. © 2019 SPLUNK INC.© 2019 SPLUNK INC.
Security-focused
Splunk User Group

2. © 2019 SPLUNK INC.
Agenda
• Housekeeping: Event Overview & House Rules
• Phantom Update (Splunk's SOAR Platform) from Tom Wise
• Endpoint Data Model Breakdown from Adam Thomson
• Showcase of Security Essentials Beta Features from Harry McLaren

3. © 2019 SPLUNK INC.
Hosted by ECS Security
Elite Splunk Partner - UK
– Security / IT Operations / Managed Services (SOC / Splunk)
– Splunk Revolution Award & Splunk Partner of the Year

4. © 2019 SPLUNK INC.
Splunk [Official] User Group
“The overall goal is to create an authentic, ongoing
user group experience for our users, where
they contribute and get involved”
● Technical Discussions
● Sharing Environment
● Build Trust
● No Sales!

5. © 2019 SPLUNK INC.
Phantom Update
(SOAR Platform)
Tom Wise

6. © 2019 SPLUNK INC.
SOARing with
Phantom 4.x
Phantom 4.x Update & Demo

7. © 2019 SPLUNK INC.
$WHOAMI
▶ Tom Wise
• Senior Security Consultant @ ECS Security – 3
Years
• Splunk Consultant – 2 ½ Years
• Phantom Security Solutions Engineer – 6 Months
• Phantom & Splunk Trainer – ~ 1 Year

8. © 2019 SPLUNK INC.
The Why

9. © 2019 SPLUNK INC.
Why SOAR?
The key drivers for a SOAR Implementation are:
• Resource Shortages (#1)
• ~1 – 1.5 Million Security Professionals required to reduce
the global shortage.
• Staffing issues such as retention, motivation, drive the
above concern.
• Escalating Volume of Alerts / Alert Fatigue
• Multiple, “Static Consoles” / Vendors Used for Investigation
• Improvement to Speed of Detection
• Rising Costs Due to All of the Above

10. © 2019 SPLUNK INC.
Why We Can
SOAR Now
▶ Security Products are being designed with extensive
API capabilities
• Beware buggy API’s.
▶ More Cloud-Based services providing context to
events:
• Reputation Services, Sandboxes, Threat
Intelligence Feeds, etc.
▶ Uplift in DevOps capability in the industry driving IT
Automation.
• Not just in Security but all areas of IT.
▶ Python and other robust programming languages.

11. © 2019 SPLUNK INC.
Aren’t We
Already
Automating?
▶ YES!
▶ Tools out there have the necessary capability to
automate :
• Blocking on firewalls, proxies, NAC solutions
• Quarantine endpoints via NAC, EDR
• Remove messages from mailboxes
• Remove files from endpoints, file servers, kill
processes
▶ Not many organisations are automating &
orchestrating these processes together, and there is
almost always a human involved in every process.
• No true combined approach

12. © 2019 SPLUNK INC.
The What

13. © 2019 SPLUNK INC.

14. © 2019 SPLUNK INC.
Case & Ticket Management
Threat
Intelligence
Management
Orchestration
& Automation
Case &
Ticket
Manageme
nt
Workflow
Engine
SOA
R
A fully-capable SOAR platform maintains all
information and enriched data gathered from
automated and orchestrated activities and can
provide a detailed audit log of all actions taken
during the response.

15. © 2019 SPLUNK INC.
Automation & Orchestration
Automation: Setting up a single task to run
on its own – automating one thing. This
single task can be anything from launching a
web server, stopping a service, etc.
Or, automating the creation of a workflow.
Orchestration: Automatically execute a
larger workflow or process comprising of
manual and automated steps.
“You can’t build an Orchestra with a Single
Wood Instrument” - Unknown
Threat
Intelligence
Management
Case & Ticket
Management
Orchestration
& Automation
Workflow
Engine
SOA
R

16. © 2019 SPLUNK INC.
Threat Intelligence
Case & Ticket
Management
Orchestration
& Automation
Threat
Intelligence
Manageme
nt
Workflow
Engine
SOA
R
Threat Intelligence is organised, analysed and refined
information about potential or current attacks that threaten
an organisation.
A good SOAR platform can access multiple feeds to add
enrichment and maintain a view of the threat landscape.

17. © 2019 SPLUNK INC.
Work Flow Engine
Workflow is a part of SOAR but if it’s the only element
required, then a fully-capable SOAR platform is not
required.
Threat
Intelligence
Management
Orchestration
& Automation
Workflow
Engine
Case & Ticket
Management
SOA
R

18. © 2019 SPLUNK INC.
The How-to

19. © 2019 SPLUNK INC.
Where to Start? ▶ Event Enrichment:
• Using SOAR to enrich tickets with information from the
same integration(s) every time, saving analysts time
doing repetitive lookups.
▶ Artifact Extraction and Detonation:
• Take files from EDR systems, Emails, and other methods,
then pass them to a sandbox for detonation and
subsequent report retrieval.
▶ Containment/Eradication:
• Approval and Initiation can be done by an analyst or left
to the automation.
• Interact with EDR, AD, NAC, and many more to assist in
the containment and eradication of Threats/Events.

20. © 2019 SPLUNK INC.
New to Phantom 4.2

21. © 2019 SPLUNK INC.
What’s New?
▶ Custom Code Blocks….(FINALLY!)
▶ Multiple Prompts
▶ Playbook Copy and Save As..
▶ Playbook Metadata
▶ Mission Control / UI Improvements
▶ Clustering Improvements
▶ Unprivileged Install

22. © 2019 SPLUNK INC.
DEMO

23. © 2019 SPLUNK INC.
What’s
Coming? ▶ Mission Control: Summary View
▶ Custom Statuses
▶ Custom Severity
▶ Custom CEF Fields
▶ New HUD
▶ Whitelists for Case Access
▶ Evidence Marking
▶ Automate on Case Data

24. © 2019 SPLUNK INC.
Questions?

25. © 2019 SPLUNK INC.
Endpoint Data
Model Breakdown
Adam Thomson

26. © 2019 SPLUNK INC.
▶ A Data Model is a hierarchically structured search-time mapping of
knowledge about one or more datasets – Splunk docs.
▶ In other words:
• Multiple Data Sources combined together to make a single data set
• Or a method of making data from different origins appear to have the same meaning
• For example, taking logs from multiple Firewall vendors which may ship with a different field
names and unifying them so that all log sources can be searched using the same syntax
What is a Datamodel?

27. © 2019 SPLUNK INC.
▶ In context of security, most Data Models which ship with Splunk tend to shy away
from endpoint data, we have great coverage of of network traffic along with
IDS/Malware alerts
▶ Historically, the only Data Models which reference endpoint like data included
Application State and Change Analysis
▶ However these barely scratched the surface of endpoint data
Current State of Data Models

28. © 2019 SPLUNK INC.
▶ The Endpoint Data Model has been built based on the the Application State and
Change Analysis Data Model, except with extra information you’d expect to
receive from your EDR solution such as:
• Parent/Child Process relationships, process hashes, integrity levels etc
▶ Rather than creating one large model it has been broken down into five separate
datasets for increased performance covering the following area’s:
• Ports, Processes, Services, Filesystem and Registry
Introducing the Endpoint Data Model

29. © 2019 SPLUNK INC.
▶ Ports
• Source and destination ports, state, protocol, creation time, destination
▶ Processes
• Action, process, parent process, process hash, process path, destination
▶ Services
• Service path, hash and executable name, description, service DLL path, hash and signature,
destination
▶ File System
• File access, creation and modification times, destination, user
▶ Registry
• Registry Hive, Registry Value Text, status, process ID, destination
Data Set Break Down

30. © 2019 SPLUNK INC.
▶ Windows Sysmon: Now fully CIM compliant!
• Recommended Sysmon Config: https://github.com/SwiftOnSecurity/sysmon-config
▶ EDR Solution Logs: Carbon Black, Tanium, Falcon Endpoint Protection
▶ Scripted Inputs: Output from commands such as netstat, ps, etc.
What Data?

31. © 2019 SPLUNK INC.
▶ Excellent Visibility at the Endpoint
• High Fidelity Alerts to assist with hunting and forensics
• Identify Instillation, Persistence, Lateral Movement techniques
• What tools were being used
• Searching for Hashes from IOC’s or Threat Intel
▶ What can we look for?
• New Services/Daemons starting
• Abnormal Registry Key modifications
• Unusual processes or services being launched along with their connections/hashes
• New listening ports established
• New files in places they shouldn’t (WindowsSystem32…)
Benefits
What can we achieve with Endpoint Data?

32. © 2019 SPLUNK INC.
▶ Utilize the accelerated Data Model for:
• Running frequent searches over Endpoint Data with little overhead on performance
• Carrying out endpoint forensics efficiently
▶ The ESCU app now ships with a variety of more advanced use cases based on
the endpoint data model, giving you a good insight into endpoint activity with little
engineering work required. For example:
• Credential Dumping
• Command & Control
• Lateral Movement
Benefits
Why use the Data Model?

33. © 2019 SPLUNK INC.
Before Endpoint Data Model

34. © 2019 SPLUNK INC.
And Now...

35. © 2019 SPLUNK INC.
▶ Base64 Command
• https://splunkbase.splunk.com/app/1922/
▶ Sysmon TA & Add-on
• https://docker.pkg.github.com/splunk/TA-microsoft-sysmon
• https://splunkbase.splunk.com/app/1914/
▶ Common Information Model
• https://splunkbase.splunk.com/app/1621/
▶ ES Content Update App
• https://splunkbase.splunk.com/app/3449/
Resources

36. © 2019 SPLUNK INC.
Showcase of Security
Essentials [Beta] Features
Harry McLaren
(Inspired by Johan Bjerke)

37. © 2019 SPLUNK INC.
Harry McLaren
● Managing Consultant at ECS Security
● Member of SplunkTrust (MVP)
● Leader of the Splunk User Group Edinburgh
● @cyberharibu

38. © 2019 SPLUNK INC.
▶ Initial Version (1.0)
Released January 7, 2017
▶ Latest Version (2.4.1)
Released April 23, 2019
▶ 37,692 Downloads
▶ 389 Examples
Splunk Security Essentials App Overview
How Splunk’s analytics-driven security can be used!

39. © 2019 SPLUNK INC.
▶ ~100 Examples w/ full SPL + Docs ▶ Prescriptive Journey
Splunk Security Essentials
Provides a Journey Forward and Helps You Show Outcomes

40. © 2019 SPLUNK INC.
Analyzes your environment for data
availability and displays content you can
enable.
New rich UI for finding the most
valuable content
✓ Find opportunities for data re-use easily
✓ Get content selection in just 2-3 clicks
✓ Highlight gaps in coverage
✓ Maps active and available content against
MITRE ATT&CK Framework and
Cyber Kill Chain
✓ Shows maturity against the Security Journey
Analytics Advisor for SSE
Key Features

41. © 2019 SPLUNK INC.
▶ The app delivers analytics that can be used to gather status, assess gaps and
plan next steps in security monitoring maturity.
Analytics Advisor for SSE
Key Features
MITRE Mapping Security Journey Maturity Click through to SSE Content view
MITRE ATT&CK Navigator Sankey Flow Cyber Kill Chain Mapping

42. © 2019 SPLUNK INC.
Example outcomes
Content “what-if” scenarios
+ Planned Data sources
Possible today

43. © 2019 SPLUNK INC.
Example outcomes
Current MITRE ATT&CK Mapping

44. © 2019 SPLUNK INC.
Example outcomes
Possible MITRE ATT&CK Mapping

45. © 2019 SPLUNK INC.
Analytics Advisor on Splunkbase

46. © 2019 SPLUNK INC.
Demo

47. © 2019 SPLUNK INC.
▶ Splunk Security Essentials App Download & Instructions
https://splunkbase.splunk.com/app/3435/
▶ How to Install Splunk Security Essentials
https://youtu.be/RVUmSsS-81M
▶ Introducing Analytics Advisor to Splunk Security Essentials
https://www.splunk.com/blog/2019/04/25/introducing-analytics-advisor-to-splunk-
security-essentials.html
▶ Using Security Essentials 2.4: Analytics Advisor
https://www.splunk.com/blog/2019/05/15/using-security-essentials-2-4-analytics-
advisor.html
Resources