Security Incident handling with Splunk – Our new Cyences App published on Splunkbase

Security Incident handling with Splunk – Our new Cyences App published on Splunkbase

For the past year, customers have asked us to simplify Splunk so that they are able to identify nefarious activities quickly. In addition, they wanted to be able to forensically investigate any event without having to be experts in Splunk Processing Language (SPL).

During our initial meetings, we started to realize that the issue is not as simple as creating alerts and dashboards, but more of building a security engineer’s application for Splunk. Most security engineers understand what bad traffic and orchestration looks like, but they can’t navigate Splunk to get to the bottom of things, so we started developing the Cyences App which this blog previews. 

Overview:

The Cyences App was developed to achieve the following initial objectives with more to come on monthly basis.

  1. Community-based development starting with our existing clients and branching out to others soon afterwards
  2. Unified panes of glass that within one or two screens can provide a wholistic viewpoint of what’s important to be observed (if a certain correlation report doesn’t have an alert associated with it, it’s not necessary to be in the nefarious activity pane)
  3. Activity monitoring should include workstations and users (pre-COVID, this was not necessary, but offices and office firewalls currently play a small part in securing user activity)
  4. Global view: Collecting and correlating logs throughout a single organization is no longer sufficient because the activity becomes more of a reactive response vs. proactive. We decided that Cyences will collect Global Activity that is deemed nefarious and correlate all incoming and outgoing packets to decide with more accuracy whether something is wrong
  5. Drill down forensics: We found many existing dashboards and apps to be lacking because of the inherent inability for the security engineer to dig down quickly to ascertain an alarm. All dashboards to be built will have built-in forensics capabilities to reduce response time

There are many more to come but we decided to start off with the six above and publish the App as 1.0.0 at the end of this month because the value is already there.

If you’re interested in downloading or joining our community, please email me directly or reach out on LinkedIn and I will get you access to our Cyences forum. Below are some screenshots and use cases.

Main Dashboard:

This dashboard is based on the MITRE framework

Fake Windows Processes

Some ransomware creates its executable file name as some default Windows process name to go undetected by the users. We can detect these processes because they will be installed outside the Windows default location.

Cyences App is showing attacker and compromised system information in the “Details” dashboard for easy access. 

Firewall Disabled (one of the first signs of an active attack)
Global Malicious IP List:

Written by Usama Houlila.

Any questions, comments, or feedback are appreciated! Leave a comment or send me an email to uhoulila@crossrealms.com for any questions you might have.

Usama Houlia - CEO

Usama Houlila

President and Enterprise Architect
Usama Houlila is an Enterprise Architect with more than 20 years of professional experience providing technology solutions for organizations in industries including legal, public services, healthcare, finance, retail, hospitality, and manufacturing. Usama is well-versed in all phases of project delivery – from initiation to closeout. His ability to see the big picture is a product of his comprehensive knowledge of hardware, software, application, and systems engineering. Usama’s myriad interests include international affairs, nutrition and health, cooking, and music. He has played the flute since childhood and is an avid runner and bicyclist who recently added swimming and triathlons to the mix. He currently manages, designs, and deploys palo alto for legal, healthcare, and financial services.