Security Onion for Splunk 1.1.2 – Workflows and Event Views

Having spent the last few weeks working with the Security Onion for Splunk app and CIF (Collective Intelligence Framework) in addition to the recently released DShield for Splunk app, I found some of the workflows weren’t as easy to pivot from the dashboard panel to workflow queries as I liked. The latest release addresses this issue while expanding on the workflow capabilities already available.

Where you’ll notice the change the most is in the drilldowns from panels. I left the Overview dashboard alone, but you’ll notice on most all the others that when you drill down on an event in a panel, the results now show an event listing with key fields selected instead of the cleaner table views. I’m trading aesthetics for functionality. The event listing provides quick access to workflows, and that is where this update shines.

For example, the Monitors > Sguil Events panel screenshot below shows a drilldown on a Zeus alert. From the workflow dropdown menu on the left, you can now query DShield for Splunk app and Robtex, in addition to CIF, for source and destination IPs.

It gets better with Bro IDS when we look at HTTP Mining.

In addition to source and destination IPs, Bro results containing domain or md5 fields (typically Bro HTTP and SMTP entities logs) will now allow you to query those values directly against CIF. CIF and Robtex searches open conveniently in a new tab. DShhield queries will spawn a new window for now. There is some difference in how Splunk workflow generates links versus searches, where the former will open a new tab, the latter a new window that needs further exploring.

NOTE: You will likely have to reconfigure the CIF workflow server and API keys. For instructions reference my previous post on Querying CIF Data From Splunk.

If you haven’t checked out CIF but want to get a sense of what it’s all about, head over to josehelps.com who has generously stood up a public instance of CIF. You can fill out the form to request an API key and give it a spin.

I’m currently exploring other ways to integrate correlation against the DShield for Splunk data and am working on adding a DShield mining dashboard that will likely be a prototype for future CIF mining dashboards, so more goodness to come.

Happy Splunking!

Leave a Reply