GenAI and Hunting for a Thing in Splunk
Threat hunting is a proactive part of cybersecurity, based on the idea that no matter how many state-of-the-art security solutions we have in place, none of them are impregnable or bullet proof. At some point, a bad actor / bad thing is going to get past them - and we threat hunt to find those actors and things.
It can also be thought of as being similar to hunting for needles in enormous haystacks - so anything that helps us automate parts of the process or makes us more efficient in our hunting efforts is very welcome.
GenAI apps can help here.
Recently I’ve been thinking about how to craft better searches in Splunk. Splunk is a security information and event management (SIEM) system, and can be a valuable data source in threat hunting. This morning I did some quick testing of three GenAI apps - seeing if they could help me with two specific threat hunting tasks. The three apps are ChatGPT 4o, Claude 3.5 Sonnet, and Gemini Pro. I uploaded two PDF documents with hunt profiles I created a few years back that still feel useful, to each of these apps. The two documents are:
Starter Hunt Profile - Lateral Movement Detection via Process Monitoring
Starter Hunt Profile - Malicious User Account Creation
The prompt I gave each of the apps is:
While each of the GenAI apps offered a decent response, there is a very clear order in terms of which was best and which one I could most easily work with right away.
ChatGPT 4o gave a good but not great response, far better on the search for malicious account creation than the one for detecting lateral movement via process monitoring.
Gemini finishes third. It offered code snippets rather than a full entry ready for the Splunk search box in its initial response. When I promoted it to provide more detail, it went further away and gave me Python code.
Claude 3.5 Sonnet was the (very) clear winner here - with easily the best and most ready-to-use response.
Here is Claude’s Splunk query for malicious account creation:
What makes Claude’s response even stronger is the understanding it shows of how we would want to manipulate the search results to see what is not normal, potentially worth digging further on, which it explains as part of its response:
This Splunk search query does the following:
Searches for Windows Security events related to account creation and modification.
Checks if the account name follows naming conventions (assuming a CSV lookup file).
Identifies privileged and local accounts.
Aggregates the results by computer, showing counts, account names, creators, and other relevant information.
Filters for potentially suspicious activities, such as multiple account creations, privileged accounts, local accounts, or accounts not created by SYSTEM.
Claude’s response for detecting lateral movement via process monitoring is just as strong. Here is its explanation of what it is doing with the search query, which again is spot on in terms of finding things to possibly investigate some more:
This Splunk search query does the following:
Searches for Windows Security events related to process creation (Event Code 4688).
Focuses on commonly used processes for reconnaissance and lateral movement.
Counts the number of these processes executed within a 10-minute window.
Identifies clusters of 3 or more suspicious processes within that time frame.
Aggregates the results by computer, showing the number of suspicious clusters, executed processes, parent processes, users, and the time range of the activity.
Using Claude, or any GenAI app, doesn’t automate any of the threat hunting in Splunk process. It can definitely make it faster though. Claude generated the search queries for the two example hunts in under 20 seconds. I don’t know many cybersecurity pros who could that as quickly. Of course in some cases, maybe even many cases, the search query generated by the GenAI app won’t be perfect; it will need some tweaking, but I would say even allowing for that tweaking we’ll end up with a usable query faster most of the time.
Some of the very best words I’ve seen anywhere on using and gettin the most out of GenAI tools are those of Professor Ethan Mollick. Like these for example - these are pinned for me in a favorite notes app as a reminder:
… “always invite AI to the table” is the principle in my book that people tell me had the biggest impact on them. You won’t know what AI can (and can’t) do for you until you try to use it for everything you do.
I just finished reading his book referenced in that quote and I think it is a fantastic overview of generative AI and how we can interact with it. The book is titled Co-Intelligence and this is its Amazon link.
A lot of my posts here are based on inviting these GenAI apps to the table, and I plan to keep on inviting them.
Great and useful article!