Another Take on Splunk BOTS — Boss of the SOC — With investigative workflows and the power of Natural Language Processing (NLP)Splunk’s Boss of the SOC(BOTS) was introduced at Splunk .conf2016 as a capture-the-flag style competition where users and analysts can show off their Splunk skills. Since then the competition has grown tremendously and this week at Splunk .conf2019, will be the 3rd year that the BOTS competition will be held.
Query.AI’s IRIS console takes competing in the BOTS competition to a whole new level. Being able to hunt in Splunk is essential to having a successful BOTS experience, and IRIS’s out-of-box workflows will help to do just that. These workflows allow you to query your data through Natural Language Processing (NLP) so you don’t need to be an expert in Splunk Processing Language (SPL) syntax to be successful!
Some of the available workflows include:
- AWS User Login without MFA
- Account Permissions Change in Windows
- Audit logs cleared on Windows
- Azure Active Directory
- Detect Account and Group Activities
- Hosts not sending data in past 24 hours
- List Access Denied Events from AWS
- List New Created Windows Processes
- Spotting the Signs of Lateral Movement
- Successful Login to Windows Outliers
Let’s take a deeper look at the Azure Active Directory (AAD) workflow. This workflow allows you to gather login information out of your Azure AD.
Query.AI workflow for BOSS “Azure Active Directory” use-case
The first four lines show us sign in sourcetype grouped by sourcetype. This will give you a count all events and give you a total of how many times each of these events occurs.
The next five lines of the workflow allow us to look at specifically Audit events generated by Azure Active Directory. An audit event is generated when a change is made somewhere in AAD. Changes that get logged as audits can include: changes to user groups, group policy changes, removal of users or groups, etc. This workflow organizes results by determining all the unique changes that are made, and who the changes are being made upon. It then groups all of these changes by the account that is making the change. This helps you to determine whether the actor making changes in your AAD is a legitimate one or not.
The last four lines of the workflow show all login information that gets logged by AAD. All the information is distilled down to the unique users that are logging in, then is grouped by which application that they are logging into. This allows you to see which users are accessing which of your Azure applications.
Being able to capture these investigative questions into workflows provides three major advantages.
1) You can use natural language to query your data; meaning you don’t need to know any special syntax in order to get the results that you desire.
2) You can save workflows to run this sequence of questions again (even automate them). Having the ability to run this exact same investigation again ensures consistency when you are attempting to detect changes in your environment and that the same data is queried each time to ensure accurate results!
3) Then you can share this workflow with others in your organization or to the community. This allows for collaboration that will help to refine your workflows and make the functionality even stronger!
Want to be BOSS?
Click here to learn more about Query.AI's IRIS app for Splunk and let us get you started on a path to victory!
Be sure to leave your comments below!
Boss of the NOC and SOC Competitions
Hunting with Splunk: The Basics
I Azure You, This Will Be Useful
Posted by Grant Jacobson
I am a senior Computer Information Systems and Business Management student at Dakota State University. Working as a IT and Security Analyst intern with Query.AI allows me to further my education and gain real world experience by writing plain english cybersecurity workflows for platforms like Splunk and Elasticsearch to help automate SIEM, SOC, and NSOC operations within companies!