mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
255 lines
10 KiB
Markdown
255 lines
10 KiB
Markdown
---
|
|
name: building-detection-rule-with-splunk-spl
|
|
description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify
|
|
security threats in SOC environments.
|
|
domain: cybersecurity
|
|
subdomain: soc-operations
|
|
tags:
|
|
- splunk
|
|
- spl
|
|
- detection-engineering
|
|
- correlation-search
|
|
- siem
|
|
- soc
|
|
- threat-detection
|
|
- enterprise-security
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
d3fend_techniques:
|
|
- Executable Denylisting
|
|
- Execution Isolation
|
|
- File Metadata Consistency Validation
|
|
- Content Format Conversion
|
|
- File Content Analysis
|
|
nist_csf:
|
|
- DE.CM-01
|
|
- DE.AE-02
|
|
- RS.MA-01
|
|
- DE.AE-06
|
|
---
|
|
|
|
# Building Detection Rules with Splunk SPL
|
|
|
|
## Overview
|
|
|
|
Splunk Search Processing Language (SPL) is the primary query language used in Splunk Enterprise Security for building correlation searches that detect suspicious events and patterns. A well-crafted detection rule aggregates, correlates, and enriches security events to generate actionable notable events for SOC analysts. Enterprise SIEMs on average cover only 21% of MITRE ATT&CK techniques, making skilled SPL rule writing essential for closing detection gaps.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When deploying or configuring building detection rule with splunk spl capabilities in your environment
|
|
- When establishing security controls aligned to compliance requirements
|
|
- When building or improving security architecture for this domain
|
|
- When conducting security assessments that require this implementation
|
|
|
|
## Prerequisites
|
|
|
|
- Splunk Enterprise Security (ES) deployed and configured
|
|
- Access to Splunk Search & Reporting app with appropriate roles
|
|
- Understanding of Common Information Model (CIM) data models
|
|
- Familiarity with MITRE ATT&CK framework techniques
|
|
- Knowledge of the organization's log sources and data flows
|
|
|
|
## Core SPL Detection Rule Patterns
|
|
|
|
### 1. Threshold-Based Detection
|
|
|
|
Detects events exceeding a defined count within a time window.
|
|
|
|
```spl
|
|
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
|
|
| stats count as failed_logins dc(TargetUserName) as unique_users by src_ip
|
|
| where failed_logins > 10 AND unique_users > 3
|
|
| eval severity="high"
|
|
| eval description="Brute force attack detected from ".src_ip." with ".failed_logins." failed logins across ".unique_users." accounts"
|
|
```
|
|
|
|
### 2. Sequence-Based Detection (Failed Login Followed by Success)
|
|
|
|
Correlates a sequence of events indicating a successful brute force attack.
|
|
|
|
```spl
|
|
index=wineventlog sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=4624)
|
|
| eval login_status=case(EventCode=4625, "failure", EventCode=4624, "success")
|
|
| stats count(eval(login_status="failure")) as failures count(eval(login_status="success")) as successes latest(_time) as last_event by src_ip, TargetUserName
|
|
| where failures > 5 AND successes > 0
|
|
| eval description="Account ".TargetUserName." compromised via brute force from ".src_ip
|
|
| eval urgency="critical"
|
|
```
|
|
|
|
### 3. Anomaly Detection with Baseline Comparison
|
|
|
|
Compares current activity against a baseline period to detect spikes.
|
|
|
|
```spl
|
|
index=proxy sourcetype=squid
|
|
| bin _time span=1h
|
|
| stats count as current_count by src_ip, _time
|
|
| join src_ip type=left [
|
|
search index=proxy sourcetype=squid earliest=-7d@d latest=-1d@d
|
|
| stats avg(count) as avg_count stdev(count) as stdev_count by src_ip
|
|
]
|
|
| eval threshold=avg_count + (3 * stdev_count)
|
|
| where current_count > threshold
|
|
| eval deviation=round((current_count - avg_count) / stdev_count, 2)
|
|
| eval description="Anomalous web traffic from ".src_ip." - ".deviation." standard deviations above baseline"
|
|
```
|
|
|
|
### 4. Lateral Movement Detection
|
|
|
|
Identifies potential lateral movement using Windows logon events.
|
|
|
|
```spl
|
|
index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3
|
|
| where NOT match(TargetUserName, ".*\$$")
|
|
| stats dc(dest) as unique_hosts values(dest) as hosts by src_ip, TargetUserName
|
|
| where unique_hosts > 5
|
|
| eval severity=case(unique_hosts > 20, "critical", unique_hosts > 10, "high", true(), "medium")
|
|
| eval description=TargetUserName." accessed ".unique_hosts." unique hosts from ".src_ip." via network logon"
|
|
```
|
|
|
|
### 5. Data Exfiltration Detection
|
|
|
|
Monitors for large outbound data transfers.
|
|
|
|
```spl
|
|
index=firewall sourcetype=pan:traffic action=allowed direction=outbound
|
|
| stats sum(bytes_out) as total_bytes_out dc(dest_ip) as unique_destinations by src_ip, user
|
|
| eval total_mb=round(total_bytes_out/1048576, 2)
|
|
| where total_mb > 500 OR unique_destinations > 50
|
|
| lookup asset_lookup ip as src_ip OUTPUT asset_category, asset_owner
|
|
| eval severity=case(total_mb > 2000, "critical", total_mb > 1000, "high", true(), "medium")
|
|
| eval description=user." transferred ".total_mb."MB to ".unique_destinations." unique destinations"
|
|
```
|
|
|
|
### 6. PowerShell Suspicious Execution Detection
|
|
|
|
Detects encoded or obfuscated PowerShell commands.
|
|
|
|
```spl
|
|
index=wineventlog sourcetype=WinEventLog:Security EventCode=4104
|
|
| where match(ScriptBlockText, "(?i)(encodedcommand|invoke-expression|iex|downloadstring|frombase64string|net\.webclient|invoke-webrequest|bitstransfer|invoke-mimikatz|invoke-shellcode)")
|
|
| eval decoded_length=len(ScriptBlockText)
|
|
| stats count values(ScriptBlockText) as commands by Computer, UserName
|
|
| where count > 0
|
|
| eval severity="high"
|
|
| eval mitre_technique="T1059.001"
|
|
| eval description="Suspicious PowerShell execution on ".Computer." by ".UserName
|
|
```
|
|
|
|
## Building Correlation Searches in Splunk ES
|
|
|
|
### Step-by-Step Process
|
|
|
|
1. **Define the Use Case**: Map to MITRE ATT&CK technique and define what behavior to detect
|
|
2. **Identify Data Sources**: Determine which indexes and sourcetypes contain relevant events
|
|
3. **Write the Base Search**: Build SPL that extracts relevant events
|
|
4. **Add Aggregation**: Use `stats`, `eventstats`, or `streamstats` to summarize
|
|
5. **Apply Thresholds**: Set conditions with `where` clause that distinguish normal from anomalous
|
|
6. **Enrich Context**: Add lookups for asset information, identity data, and threat intelligence
|
|
7. **Configure Notable Event**: Set severity, urgency, and description fields
|
|
8. **Schedule and Test**: Run against historical data and validate detection accuracy
|
|
|
|
### Correlation Search Configuration Template
|
|
|
|
```spl
|
|
| tstats summariesonly=true count from datamodel=Authentication
|
|
where Authentication.action=failure
|
|
by Authentication.src, Authentication.user, _time span=5m
|
|
| rename "Authentication.*" as *
|
|
| stats count as total_failures dc(user) as unique_users values(user) as targeted_users by src
|
|
| where total_failures > 20 AND unique_users > 5
|
|
| lookup dnslookup clientip as src OUTPUT clienthost as src_dns
|
|
| lookup asset_lookup ip as src OUTPUT priority as asset_priority, category as asset_category
|
|
| eval urgency=case(asset_priority=="critical", "critical", asset_priority=="high", "high", true(), "medium")
|
|
| eval rule_name="Brute Force Against Multiple Accounts"
|
|
| eval rule_description="Multiple authentication failures from ".src." targeting ".unique_users." unique accounts"
|
|
| eval mitre_attack="T1110.001 - Password Guessing"
|
|
```
|
|
|
|
### Enrichment Best Practices
|
|
|
|
```spl
|
|
| lookup identity_lookup identity as user OUTPUT department, manager, risk_score as user_risk
|
|
| lookup asset_lookup ip as src_ip OUTPUT asset_name, asset_category, asset_priority, asset_owner
|
|
| lookup threatintel_lookup ip as src_ip OUTPUT threat_type, threat_confidence, threat_source
|
|
| eval context=case(
|
|
isnotnull(threat_type), "Known threat: ".threat_type,
|
|
user_risk > 80, "High-risk user: risk score ".user_risk,
|
|
asset_priority=="critical", "Critical asset: ".asset_name,
|
|
true(), "Standard context"
|
|
)
|
|
```
|
|
|
|
## Performance Optimization
|
|
|
|
### Use Data Models with tstats
|
|
|
|
```spl
|
|
| tstats summariesonly=true count from datamodel=Network_Traffic
|
|
where All_Traffic.action=allowed
|
|
by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port, _time span=1h
|
|
| rename "All_Traffic.*" as *
|
|
```
|
|
|
|
### Limit Time Ranges and Use Indexed Fields
|
|
|
|
```spl
|
|
index=wineventlog source="WinEventLog:Security" EventCode=4688
|
|
earliest=-15m latest=now()
|
|
| where NOT match(New_Process_Name, "(?i)(svchost|csrss|lsass|services)")
|
|
```
|
|
|
|
### Use Summary Indexing for Historical Baselines
|
|
|
|
```spl
|
|
| tstats count from datamodel=Authentication where Authentication.action=failure by Authentication.src, _time span=1h
|
|
| collect index=summary source="auth_failure_baseline" marker="report_name=auth_failure_hourly"
|
|
```
|
|
|
|
## Testing and Validation
|
|
|
|
### Test Against Known Attack Patterns
|
|
|
|
```spl
|
|
| makeresults count=1
|
|
| eval src_ip="10.0.0.50", failed_logins=25, unique_users=8, severity="high"
|
|
| eval description="Test brute force detection"
|
|
| append [
|
|
search index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
|
|
earliest=-24h latest=now()
|
|
| stats count as failed_logins dc(TargetUserName) as unique_users by src_ip
|
|
| where failed_logins > 10 AND unique_users > 3
|
|
| eval severity="high"
|
|
]
|
|
```
|
|
|
|
### Calculate Detection Metrics
|
|
|
|
```spl
|
|
index=notable
|
|
| search rule_name="Brute Force*"
|
|
| stats count as total_alerts count(eval(status_label="Closed - True Positive")) as true_positives count(eval(status_label="Closed - False Positive")) as false_positives by rule_name
|
|
| eval precision=round(true_positives / (true_positives + false_positives) * 100, 2)
|
|
| eval fpr=round(false_positives / total_alerts * 100, 2)
|
|
```
|
|
|
|
## MITRE ATT&CK Mapping
|
|
|
|
| Technique ID | Technique Name | SPL Detection Approach |
|
|
|---|---|---|
|
|
| T1110.001 | Password Guessing | Threshold on EventCode 4625 by src_ip |
|
|
| T1059.001 | PowerShell | Pattern match on EventCode 4104 ScriptBlockText |
|
|
| T1021.002 | SMB/Windows Admin Shares | Logon Type 3 with dc(dest) threshold |
|
|
| T1048 | Exfiltration Over C2 | bytes_out aggregation over time window |
|
|
| T1053.005 | Scheduled Task | EventCode 4698 with suspicious command patterns |
|
|
| T1003.001 | LSASS Memory | Process access to lsass.exe via Sysmon EventCode 10 |
|
|
|
|
## References
|
|
|
|
- [Splunk ES Correlation Searches Best Practices](https://detect.fyi/splunk-es-correlation-searches-rules-best-cool-practices-06ef94884170)
|
|
- [Writing Practical Splunk Detection Rules](https://medium.com/@vitbukac/practical-splunk-detection-rules-how-to-part-1-crawl-a24bc39a4b9d)
|
|
- [Configure Correlation Searches - Splunk Documentation](https://help.splunk.com/en/splunk-enterprise-security-8/splunk-app-for-pci-compliance/installation-and-configuration-manual/6.1/configure-correlation-searches/configure-correlation-searches)
|
|
- [SOC Prime - Correlation Events in Splunk](https://socprime.com/blog/creating-correlation-events-in-splunk-using-alerts/)
|