How to investigate Splunk Events

If you are using Splunk to store logs and security events, you can utilize workflows to send special type of events into the Efflux platform for post-exploitation and lateral movement analysis.

This can be achieved by first building an event type and then creating a workflow to execute a RESTful API call that will kick off an Efflux investigation.

For this how-to, I will use the Search & Reporting app to build event types and workflows.

Let's get started...

  • Find the type of events you would like to pivot from within Search & Reporting. For this example I will use a Palo Alto NGFW alert, but you can use anything that has an IP address that you would like to investigate for post exploitation activity. 
  • Building an event type is useful for narrowing down what your workflow can execute on. Here I have a sourcetype of "syslog" that is storing CEF alerts. Because they are in CEF, I know that I could have a "src" and "dst" fields that I want to use as my values to send to Efflux.
  • From your event, click "Event Actions" and then "Build Event Type"
  • Next, you can select which fields define this Event Type. Because I simply have all syslog going into the same Splunk sourcetype, I'll be a bit more selective and build an Event Type for my specific PANW appliance. I select the "dvchost" field as the additional field that contributes to this Event Type. NOTE: you can select any set of fields you want/need to define your event type.
  • You can hit "Test" along the top to verify that you are only getting the actual events back that you want.
  • When you're done, click "Save" and give it a name. I called mine "PANW-Alerts".
  • Next, along your top navigation goto "Settings => Fields" and on the bottom click on "Workflow actions"
  • Click "New"
  • Now fill out your workflow
    • Destination app: search (or the appropriate one for you)
    • Name: give it a name! I call mine, "pushSrcToEfflux"
    • Label: I used the same as Name
    • Apply only to the following fields: Select a field in your event that could have an IP address that you want to investigate. I use src for this example.
    • Apply only to the following event types: Choose the event you just created, I use "PANW-Alerts"
    • Show action in: Both
    • Action type: link
    • URI: 
  • Replace "YOU" and "YOURTOKEN" with your sub-domain and valid user token!!!
    • Open link in: New window
    • Link method: get
  • Click Save
  • Now back to Search & Reporting, you can do a new search, since my Event Type is syslog PANW alerts I use: index="syslog" AND "PA-VM" to find matching events.
  • Within the event, click Event Actions, and now our new workflow is available!
  • Clicking this workflow will send the src of this alert to Efflux to look for lateral movement and post-exploitation activity.
  • You can go back to Workflows and clone this particular one and create similar actions for other fields.
  • Clicking on the Workflow will open a new window and hit the URL route. A simple JSON return object will let you know if there was success, and provide an "id" value of the Narrative that is created.
  • In the Efflux UI, if there is post-exploitation activity detected, it will show up in the Narrative listing. In this example, our User Submitted PANW alert was correlated with automated PANW alert ingest and Carbon Black to paint the picture of the malicious activity. The alert information for the host shows this. This Narrative shows a myriad of other activity going on around these alerts that you otherwise would have no visibility over.

Happy Hunting!

- John Myers, CTO & Co-Founder