Splunk Use Cases

Introduction

This document describes how to identify high risk matches to Recorded Future Intelligence in your environment based on use cases. High risk matches include not only the kind of activity an indicator is associated with, but also the direction of connection and the action of request (ie blocked vs allowed). Splunk Alerts can be leveraged to run the searches provided on a scheduled basis to escalate accordingly with Security Operations teams. The searches are samples and will require customization to your environment.

Use Cases

C&C Traffic

Command and control activities are the most detrimental activities carried out during one of the last phases of an attack. This is the infrastructure leveraged for activities such as data exfiltration, distributed denial of service, reboots, or shutdowns. Recorded Future provides intelligence for C&C domains, URLs, and IP addresses. To identify traffic that may be C&C activity, focus on outbound allowed connection to known C&C infrastructure in firewall logs, dns logs, web proxy logs, or NetFlow.

IP Intelligence

Firewall Search

sourcetype=firewall earliest=-24h action=allowed NOT((src="10.0.0.0/8" OR src="172.16.0.0/12" OR src="192.168.0.0/16") AND (dst="10.0.0.0/8" OR dst="172.16.0.0/12" OR dst="192.168.0.0/16"))
| eval Name=dst
| lookup rf_ip_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search Rule=*C&C* NOT Rule="Historical C&C Server"
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator

URL Intelligence

Proxy Search

sourcetype=proxy earliest=-24h action=allowed
| eval Name=url
| lookup rf_url_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search (Rule=*C&C* OR Rule=*Weaponized*) NOT Rule="Historical C&C Server"
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator

Domain Intelligence

DNS Search

sourcetype=dns earliest=-24h 
| eval Name=query
| lookup rf_domain_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search (Rule=*C&C* OR Rule=*Weaponized*) NOT Rule="Historical C&C Server"
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator

Proxy Search

sourcetype=proxy earliest=-24h action=allowed
| eval Name=domain
| lookup rf_domain_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search (Rule=*C&C* OR Rule=*Weaponized*) NOT Rule="Historical C&C Server"
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator

Phishing

Phishing is the most commonly used attack vector to infiltrate an organization because it’s effective. Humans will always be the weakest link in the security chain. Recorded Future provides intelligence for Phishing domains, URLs, and IP addresses. To identify potentially successful phishing attacks, focus on outbound allowed connections to known phishing domains and URLs via web proxy log or phishing infrastructure via firewall logs or NetFlow.

IP Intelligence

Firewall Search

sourcetype=firewall earliest=-24h action=allowed NOT((src="10.0.0.0/8" OR src="172.16.0.0/12" OR src="192.168.0.0/16") AND (dst="10.0.0.0/8" OR dst="172.16.0.0/12" OR dst="192.168.0.0/16"))
| eval Name=dst
| lookup rf_ip_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search Rule=*Phishing*
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator

URL Intelligence

Proxy Search

sourcetype=proxy earliest=-24h action=allowed
| eval Name=url
| lookup rf_url_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search Rule=*Phishing*
| stats values(src) as src, values(_time) as _time, values(RiskScore) as RiskScore, values(RiskString) as RiskString, values(Rule) as Rule, values(EvidenceString) as EvidenceString count(src) as count by Name
| rename Name as Indicator

Domain Intelligence

DNS Search

sourcetype=dns earliest=-24h 
| eval Name=query
| lookup rf_domain_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search Rule=*Phishing* OR Rule=*COVID*
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator

Proxy Search

sourcetype=proxy earliest=-24h action=allowed
| eval Name=domain
| lookup rf_domain_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search Rule=*Phishing*
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator

DNS & Proxy Search

(sourcetype=dns OR (sourcetype=proxy AND action=allowed)) earliest=-24h 
| eval Name=query
| lookup rf_domain_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search (Rule=*Phishing* OR Rule=*COVID*)
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator

Ransomware

Ransomware attacks are on the rise; it’s all over every latest news article. Ransomware is commonly distributed via phishing and drive-by downloads. Recorded Future provides Domain and URL intelligence on sites distributing ransomware. To identify ransomware in the distribution phase of the attack, focus on outbound allowed connections to known ransomware distribution sites in web proxy and dns logs.

Domain Intelligence

DNS Search

sourcetype=dns earliest=-24h 
| eval Name=query
| lookup rf_domain_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search Rule=*Ransomware*
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator


Proxy Search

sourcetype=proxy earliest=-24h action=allowed
| rex field=dest "://(?<domain>[^/]+)/.+"
| eval Name=domain
| lookup rf_domain_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search Rule=*Ransomware*
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator

 

URL Intelligence

Proxy Search

sourcetype=proxy earliest=-24h action=allowed
| eval Name=url
| lookup rf_url_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| search Rule=*Ransomware*
| eventstats count(src) as count by Name
| table src, Name, count, _time, RiskScore, RiskString, Rule, EvidenceString
| rename Name as Indicator


Malware Beaconing

Identifying malware takes more than a good antivirus solution. One way to find evasive malware in your environment is to look for beaconing activity. This often flies under the radar because it is a needle in the haystack of network logs, especially when the traffic is blocked. To identify potential beaconing activity of malware, focus on recurring outbound blocked traffic to Recorded Future Intelligence in firewall and dns logs. The search uses the timechart feature of Splunk to allow for visualization of activity. It’s recommended to use the “Line Chart” view. Look for IPs with recurring spikes on the timechart for potential beaconing activity. Recurrences on a regular interval, such as every 5 minutes, are likely to be beaconing. More advanced malware will use an irregular beaconing schedule but will still be identifiable with this view.

IP Intelligence

Firewall Search

sourcetype=firewall earliest=-24h action=blocked NOT((src="10.0.0.0/8" OR src="172.16.0.0/12" OR src="192.168.0.0/16") AND (dst="10.0.0.0/8" OR dst="172.16.0.0/12" OR dst="192.168.0.0/16"))
| eval Name=dst
| lookup rf_ip_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
| eval RiskScore = Risk
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
| timechart limit=10 count(src) by Name

Customizing for Your Environment

  • Include indexes at the beginning of the search where possible to improve the performance of the searches
  • Set sourcetype to match your environment
  • To use the URL intelligence, ensure that protocol is included in your url field of your logs. Because our intelligence contains protocol, you will not see a match unless it is included in the logs you are searching against.
    • Ie https://www.recordedfuture.com instead of www.recordedfuture.com
  • | eval Name= dst → change dst (or query or url depending the example) to the field name in the logs you would like to search for indicators in
  • You can further limit the results by Risk Score if desired by adding it to the last search command in the query
    • | search Rule=*Ransomware* RiskScore>=80
  • Proxy searches for domain intelligence rely on the domain being parsed by the logs. If the domain is not parsed, please add the following line before the first eval command:
    • | rex field=dest "://(?<domain>[^/]+)/.+"
  • Internal traffic is removed from Firewall searches to improve performance. If the traffic is internal, it will not include an external IP so there will never be a match to IP Intelligence in those logs.
  • Firewall search performance can be improved further by adding DMZ or guest wifi networks into the src component with an OR on the base search if they are not of interest.
    • sourcetype=firewall earliest=-24h action=allowed NOT((src=”GUEST WIFI HERE” OR src="10.0.0.0/8" OR src="172.16.0.0/12" OR src="192.168.0.0/16") AND (dst="10.0.0.0/8" OR dst="172.16.0.0/12" OR dst="192.168.0.0/16"))

Example of URL & Domain Intelligence in Single Query

Note, this search is not as optimized as the other queries, but can reduce the number of searches that you may want to run.

Proxy Search

sourcetype=proxy earliest=-24h action=allowed
| rex field=dest "://(?<domain>[^/]+)/.+"
| lookup rf_domain_risklist.csv Name as domain OUTPUT Name as Source1, Risk as Risk1, RiskString as RiskString1, EvidenceDetails as EvidenceString1, splunk_server as splunk_server1
| eval Rule1 = spath(EvidenceString1,"EvidenceDetails{}.Rule")
| lookup rf_url_risklist.csv Name AS url OUTPUT Name as Source2, Risk as Risk2, RiskString as RiskString2, EvidenceDetails as EvidenceString2, splunk_server as splunk_server2
| eval Rule2 = spath(EvidenceString2,"EvidenceDetails{}.Rule")
| eval test = mvappend(splunk_server1, splunk_server2)
| eval RiskScore = mvappend(Risk1, Risk2)
| eval Rule = mvappend(Rule1, Rule2)
| eval EvidenceString = mvappend(EvidenceString1,EvidenceString2)
| eval RiskString = mvappend(RiskStrong1, RiskString2)
| eval indicator = mvappend(Source1, Source2)
| search RiskScore!=""
| eventstats count(src) as count by indicator
| table src, dest, count, _time, RiskScore, RiskString, Rule, Source2, Source1, EvidenceString,
| rename Source2 AS URL-Indictator, Source1 AS Domain-Indicator


Configuring Splunk Alerts

Please refer to the Splunk Documentation here for more information on configuring Splunk Alerts.

Learn More

The searches provided were built using the queries from the Common Splunk Search Strings for Recorded Future Risk Lists support page. This document is intended to show how you can apply these searches in different ways based on what your organization cares about most. The most critical use cases have been provided, but this is by no means exhaustive. Please feel free to comment below or email jillian.cagliostro@recordedfuture.com with new searches or use cases you would like to see represented.

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
2 out of 2 found this helpful

Articles in this section

See more