Improving Visibility in Security Operations with Search-Driven Lookups
Looking back on 2016, Splunk Enterprise Security added significant capabilities to its platform for security operations, including Adaptive Response, User & Entity Behavior Analytics (UEBA) integration and Glass Tables. Another capability that was added, but has received less attention is a new type of search that Splunk calls Search-Driven Lookups. Because there has not been as much attention put to this, I wanted to share a bit about this capability and how it can be used.
Search-Driven Lookups originated from a question that users of legacy SIEM providers often asked; how can Splunk dynamically create watchlists that can then be used in correlating new events against a watchlist? Enterprise Security has had the ability to correlate against a watchlist for a few years and the method to create watchlists has existed since Splunk Enterprise 4.x, with additional features having been added along the way. Basically, a user can pipe search results through the outputlookup command and place returned values into a lookup. This lookup can then be used in subsequent searches using the inputlookup command.
Starting with Enterprise Security 4.2 in Splunk Cloud and continuing with ES 4.5, the search-driven lookup is available via Configure -> Content Management and provides 25+ searches that populate lookups and can be used with correlation searches, dashboard panels, and other knowledge objects.
Let’s look at a few ways that search-driven lookups can be used and how they could be applied to security operations.
In this example, a search-driven lookup is being used to track when a particular set of events were first observed and most recently observed. The Malware Tracker search-driven lookup populates a list of malware detections first seen and last seen, grouped on host/IP address and signature. This information is updated by default at 10 minutes after the hour, every hour to the malware_tracker lookup.
These observations can then be used to populate dashboards and panels within Enterprise Security. In this case, the Oldest Infection panel within the Malware Operations dashboard reflects this data . This panel provides an analyst with a list of systems that have been infected by malware, the first and last time that malware was identified on the system and then a calculation to determine how many days it has been active on the system.
Another way to use search-driven lookups is to calculate statistical values including standard deviations, minimum and maximum values across populations of events. These statistical values have applicability across security operations for tracking values like network traffic byte counts or web browser user agent strings.
Analyzing user agent strings and their variances across the enterprise may identify outliers that should be investigated. In this case, the search-driven lookup, User Agent Length Tracker, calculates statistical values of minimum length, maximum length, standard deviation of the population and the lengths of the user agent string ranges that are associated with their Z scores.
From here, this data can then be used in the HTTP User Agent Analysis dashboard to populate the User Agent Details panel based on the selection of the Standard Deviation Index dropdown. The search column in the lookup is passed as a token to the search to bound the relevant user agents of interest.
A third way, and possibly the most often requested way to use a search-driven lookup, is to leverage specific values like IP addresses or hostnames to generate a watchlist of values that can then be used in correlation searches to apply additional scrutiny to these watchlisted systems.
The ES Notable Events search-driven lookup generates a lookup that contains values including the correlation rule that triggered the notable event, its associated urgency, source and destination addresses, the status of the notable event as it applies to workflow, the owner of the notable event and additional values. By default, these events are gathered every 10 minutes and kept for 48 hours in this lookup before aging out.
With this list of known offenders, additional correlation searches could leverage these values to further scrutinize specific sources or destinations while utilizing additional values like urgency or the rule name to ensure these additional correlation rules are bound to the most critical events.
These are a few ways that Enterprise Security uses search-driven lookups. That said, there are a number of other things that can be done with this capability. One example of that is the Address Tracker dashboard that I created using the Search And Destination Tracker search-driven lookup. Search And Destination Tracker looks across multiple data models and provides source and destination for web, network traffic and intrusion detection events.
Address Tracker gives the user the ability to search a source address, destination address or both and returns actions like allowed or blocked, sourcetype of the events and when the source and destination pairs were first seen and most recently seen in Splunk. The text inputs can handle wildcards and the date range drop-down will bound the search to returning values where the last seen date/time falls between the earliest and latest time. With this, an analyst could easily check a connection and see what data sets it came from, it if was allowed or blocked and when it was seen.
I hope this provides a greater understanding of what search-driven lookups are and how they can be used. Collecting data sets and associating by date/time in the form of first seen and last seen, generating statistical values and ranges, as well as establishing watchlists are a few ways that Splunk has used this capability and with over 25 of these searches already built into Enterprise Security, they are ready for you to take advantage of. Like any Splunk search, they can be modified and additional search-driven lookups can be created to fit your specific use case.
Federal Security Strategist