Mikael Bjerkelands pitch from the Splunk User Groups.

1. © 2019 SPLUNK INC.
Detection as Code
Building and testing use cases with
Enterprise Security Content Update
Mikael Bjerkeland
Senior Security Sales Engineer | Oslo

2. © 2019 SPLUNK INC.
Mikael Bjerkeland
Previous life:
• Cisco CCNP
• Network Monitoring & Splunk Consultant
• Linux Sysadmin (DNS,DHCP ++)
• OpenShift rookie
• VoIP - Asterisk PBX
Now:
• Security Sales Engineer serving Norway
Github: https://github.com/inspired
Authored 7 apps on Splunkbase
Cisco Networks App for Splunk

3. © 2019 SPLUNK INC.
Splunk Threat Research
Study
Threats
Create
Datasets
Build
Detections
Release
Tools
Share with
Community

4. © 2019 SPLUNK INC.
Detection Engineering

5. © 2019 SPLUNK INC.
What is a detection?
Simple Attack for Credential Dumping

6. © 2019 SPLUNK INC.
What is a detection?
Sysmon Log in Windows Event Viewer

7. © 2019 SPLUNK INC.
What is a detection?
Same log forwarded to Splunk or other SIEM

8. © 2019 SPLUNK INC.
What is a detection?
data normalization as part of a data model
CommandLine
Image
ProcessId
Processes.process
Processes.process_name
Processes.process_id

9. © 2019 SPLUNK INC.
What is a detection?
Detection based on the data model

10. © 2019 SPLUNK INC.
Detection Types
• Signature based detections: focus on known threats
• Anomaly based detections: focus on changes in behavior

11. © 2019 SPLUNK INC.
Detection Accuracy - ROC
True
Positive
False Positive
High Accurarcy
Thank you @malwareunicorn
for the idea

12. © 2019 SPLUNK INC.
Detection Accuracy - ROC
True
Positive
False Positive
Anomaly-based Detections
Signature-based
Detections

13. © 2019 SPLUNK INC.
Detection Accuracy – Long Tail
more generic more specific
Anomaly-based Detections
Signature-based
Detections
number of
malware
Thank you @malwareunicorn
for the idea

14. © 2019 SPLUNK INC.
Detection Accuracy – Long Tail
more generic more specific
Anomaly-based Detections
Signature-based
Detections
number of
malware

15. © 2019 SPLUNK INC.
Detection Accuracy – Long Tail
more generic more specific
Anomaly-based Detections
Signature-based
Detections
number of
malware

16. © 2019 SPLUNK INC.
Detection Dependencies
Dependencies:
• Windows Settings
• Sysmon Config
• Splunk Core
• Sysmon TA
• Endpoint Datamodel
Windows 10 with Sysmon Splunk
Sysmon logs

17. © 2019 SPLUNK INC.
Detection Testing
30
Detections for
Sysmon

18. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30
Detections for
Sysmon

19. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30 tests for new Sysmon Version
30
Detections for
Sysmon

20. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30 tests for new Sysmon Version
30 tests for new Splunk Version30
Detections for
Sysmon

21. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30 tests for new Sysmon Version
30 tests for new Splunk Version
30 tests for new Sysmon TA
30
Detections for
Sysmon

22. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30 tests for new Sysmon Version
30 tests for new Splunk Version
30 tests for new Sysmon TA
30 tests for changes in Endpoint Datamodel
30
Detections for
Sysmon

23. © 2019 SPLUNK INC.
Keep up with the ever
changing threat
landscape
Continuously testing and
improvement of
detections
Reduce detection
development lifecycle
between new attack and
new detection
Threat landscape Test & Improve
detections
Shorten
development
lifecycle
Challenges

24. © 2019 SPLUNK INC.
Splunk Security Content
• open source repository containing 200+
Splunk detections
• detections, baselines, responses are combined
to analytics stories.
• Available as ESCU Splunk App, GitHub
repository and REST API
• Mapped to Mitre ATT&CK Matrix
• Mapped to CIM data model / log sources
Security Content:
https://github.com/splunk/security-
content

25. © 2019 SPLUNK INC.
Commit
change
Trigger
build
Build
Notify of
build
outcome
Notify of
test
outcome
Run tests Deploy
CI/CD Workflow – Software Engineering

26. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections
This is what I'll focus on today

27. © 2019 SPLUNK INC.
CI/CD in Detection Engineering

28. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections

29. © 2019 SPLUNK INC.
Commit detections – detection schema

30. © 2019 SPLUNK INC.
Commit detection – Branching worklfow
master
develop
detection1
detection2
branch
branch
branch
merge
merge
merge
Version 1.1

31. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections

32. © 2019 SPLUNK INC.
Convert Detection & Package Detection
detection schema
format
savedsearches.conf
generate.py
Security Content

33. © 2019 SPLUNK INC.
Convert Detection & Package Detection

34. © 2019 SPLUNK INC.
Convert Detection & Package Detection

35. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections

36. © 2019 SPLUNK INC.
Detection Development Workflow
Attack Technique Attack Dataset Detection +
Detection Test
Detection Testing
Pipeline
Detection
compatible to all
Splunk Security
Products

37. © 2019 SPLUNK INC.
Detection Development Workflow - People
Adversary Emulation
Engineer
Detection Developer Detection Engineer Blogger

38. © 2019 SPLUNK INC.
Detection Development Workflow - Tools
Attack Data
Generation Service
Attack Range
Cloud Attack Range
Detection Testing
Service
Security Content

39. © 2019 SPLUNK INC.
Detection Development Workflow - Tools
Attack Data
Generation Service
Attack Range
Cloud Attack Range
Detection Testing
Service
Security Content

40. © 2019 SPLUNK INC.
Attack Range

41. © 2019 SPLUNK INC.
Automated Detection Testing
Build Env
Replay Attack
Data
Run Detections
Evaluate
Results
Attack Range
python attack_range.py
--action test
–test_file
tests/T1003_002.yml

42. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections

43. © 2019 SPLUNK INC.
Package detections into an app
Forking from a Git repository
Provide detections over REST API
Deploy detections

44. © 2019 SPLUNK INC.
Build your first detection!
1. Copy a detections/*/*.yml file to detections/*/my_detection_name.yml
1. Replace name with "My Detection Name"
2. Replace id with a new UUID (lower case!)
3. Change metadata fields
4. Replace search with your detection
1. Make it as generic as possible!
2. Use macros
3. End the search with | `my_detection_name_filter`
2. Copy a macros/*_filter.yml file to macros/my_detetection_name_filter.yml
1. Replace name but keep the rest super generic
3. Run: python bin/generate.py --path . --output package –v
4. Run: cp -r package /opt/splunk/etc/apps/DA-ESS-ContentUpdate
First: Clone and branch https://github.com/splunk/security-content

45. © 2019 SPLUNK INC.
The other interesting bits

46. © 2019 SPLUNK INC.
Apply What you Learned Today
• Next week you should:
– Download and install Attack Range
• In the first three months following this presentation you should:
– Establish a CI/CD workflow for your SIEM detections
– Continuously test your detections
• Within six months you should:
– Share your detections with the InfoSec community
– Establish automated testing of detections

47. Thank You
© 2019 SPLUNK INC.

48. © 2019 SPLUNK INC.
Resources • Splunk Security Content:
https://github.com/splunk/security-
content
• Attack Range:
https://github.com/splunk/attack_range
• MITRE ATT&CK Matrix:
https://attack.mitre.org
• Atomic Red Team:
https://github.com/redcanaryco/atomic-
red-team