Splunking The Modern Honey Network: Honeypot Alert Automation (Part 3)

<p>In my last post, <a href="https://www.anomali.com/blog/splunking-the-modern-honey-network-adding-context-using-threat-feeds-part-2">I looked at enriching Modern Honey Network events against a threat feed, specifically Anomali Threatstream IOCs</a>.</p><p>The idea of enriching events helps filter out false positives — events that pose no real risk to a network. False positives can obviously — and do — waste many hours of a security analysts time (been there, done that!).</p><p>Having to manually search through security events is also very time consuming (and boring!). Automation can be helpful in alerting when only an event of significance is seen.</p><p>In this post I will walkthrough how to set up Slack alerts (although you can use another channel, including email) in Splunk for MHN events that match against Threatstream IOCs, and thus likely need further investigation.</p><h2>Creating MHN alerts</h2><h3>0. Prerequisites</h3><p>You have a Splunk instance with Modern Honey Network data being matched against Threatstream IOCs. <a href="https://www.anomali.com/blog/splunking-the-modern-honey-network-adding-context-using-threat-feeds-part-2">Here’s a walkthrough detailing how to do this</a>.</p><h3>1. Setup incoming Slack webhook</h3><p><img alt="" src="https://cdn.filestackcontent.com/DclzjfTsK0CwdKyABNWA" style="width: 600px; height: 302px;"/></p><p>Alerts will be sent from Splunk to Slack. Login to your Slack team and select: <em>Apps &amp; Integrations &gt; Incoming Webhook</em>. Then follow the instructions to add a new webhook.</p><h3>2. Choose the type of events you want to receive alerts</h3><p>In the last post I used all MHN data that had Threatstream IOC matches using the following search:</p><pre> source=”*mhn-splunk.log*” | lookup tsi_ip lookup_key_value AS src OUTPUTNEW confidence AS ts_confidence, itype AS ts_itype, detail AS ts_detail | search ts_confidence=”*”</pre><p>All Splunk alerts are based on events returned by searches. You can customise the search and time range to further filter results if needed.</p><h3>3. Save search as an alert</h3><p><img alt="" src="https://cdn.filestackcontent.com/hKVmFkZUSqO2qfhVSvbg" style="width: 600px; height: 284px;"/></p><p>Once you’ve created and run the search you want to use, select: <em>Save as &gt; Alert</em>.</p><p>You can choose either a real-time or scheduled alert and set the conditions that will trigger the alert. For example, for a scheduled alert you might only want to see alerts when MHN events that match the search increase by 20%.</p><p>Under “triggered actions” select “outgoing webhook” and enter the Slack webhook URL (created during step one). If you don’t want to use Slack you can choose another action, perhaps email.</p><h3>4. Profit</h3><p>Every time the conditions of the alert are met, an message will be posted to Slack. The Slack message will provide you with a Splunk link to the events that triggered the search so you can start your investigation.</p><h2>Further reading</h2><p>You should get familiar with <a href="https://medium.com/r/?url=https%3A%2F%2Fdocs.splunk.com%2FDocumentation%2FSplunk%2F6.5.1%2FSearchTutorial%2FWelcometotheSearchTutorial">Splunk’s search language</a> so you can create additional search constraints to improve the quality of the alerts that are triggered.</p><h2>Exploring The Modern Honey Network</h2><p>Over the next few weeks I will be posting a series of guides about how to get value out of the data being generated by your honeypots. <a href="https://twitter.com/anomali">You can get updated about new MHN posts by Anomali on Twitter</a>.</p>