IBM Security Cloud Pak for Security

 View Only

Threat Hunting Using Kestrel Security Analytics

By Sulakshan Vajipayajula posted Thu August 19, 2021 09:08 AM

  

Prerequisites

Docker, STIX-Shifter, STIX

 

Estimated time

30 minutes

 

Data analysis forms a core part of threat hunting process. Analysts spend majority of the time in arranging and transforming the data collected from EDRs and SIEMS. Kestrel aims to reduce the burden on data analysis by providing simple constructs:

 

1) Simple constructs to what to look for (GET processes or network-traffic FROM ..)

2) Builds on top of STIX-shifter for normalisation data from multiple data sources

3) Extensible paradigm of APPLY to run purpose-built analytics on collected data.

 

Kestrel ships with a docker analytics interface, plus 5 examples analytics for threat intelligence enrichment via SANS APIsuspicious process scoringmachine learning model testinggeolocation visualization, and data plotting.  Use of analytics via APPLY command requires docker installed. Users can build their own analytic as well following template listed in the https://github.com/opencybersecurityalliance/kestrel-analytics/tree/release/template.

 

Domain-name-lookup is a very simple analytic the provides context enrichment by looking up domain names for IP addresses in the data set.

 

 

 

 

SANS-IP-Enrichment calls the SANS API to perform IP information check. This can be extended to enrich the data with licensed threat intel interfaces.

 

 

Exfiltration-detection analytic provides insights into likelihood of data exfiltration analysing network traffic data collected from the data sources.

 

Pinip-on-map analytic provides a way to put IP addresses found in the variable onto a map.  This analytics first gets geolocations for all IP addresses in the network traffic using the GeoIP2 API. Then it uses Folium library to pin them on a map. The display object can display the pinned object in a map.

 

 

Suspicious-process-scoring is another helpful analytic that looks at the process information in the bundle and scores it based on certain attributes. For example, if the process has established external network connections or launched from a power shell or has obfuscated command-line the score will be higher. It helps in isolating suspicious processes during a threat hunt.

 

 

 

 

 

Happy threat hunting !!

 

For further reading:

https://securityintelligence.com/posts/threat-hunting-guide/

https://kestrel.readthedocs.io/en/latest/tutorial.html#applying-an-analytics

 

1 comment
45 views

Permalink

Comments

Darwin Tusarma Taba
Thu July 06, 2023 10:15 AM

Hello, I'm Darwin Tusarma from Colombia I'm the currently hunter in IBM Colombia, I don't have experience with kestrel, I'd like to know if is possible that can help me with some questions.

I try to execute deferents queries in kestrel but the system answer is errors for example:

newvar = GET process FROM stixshifter://host101 WHERE [process:name = 'svchost.exe']

while scanning for the next token
found character '\t' that cannot start any token
  in "/home/kestrel/.config/kestrel/stixshifter.yaml", line 26, column 1

or this example: 

procs = GET process FROM events://edp1

WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'  

AND binary_ref.name MATCHES '.+\.(exe|dll|bat)$' 

AND ipv4-addr:value NOT ISSUBSET '10.18.35.1/16' AND (( parent_ref.name = 'explorer.exe' AND

parent_ref.binary_ref.name = 'explorer.exe' ) OR

( parent_ref.name LIKE '%.exe' AND parent_ref.binary_ref.name != 'powershell.exe'

) )

AND email-message:from_ref.value = ‘user@email.com.co' START 2023-06-29T15:05:00Z STOP 2023-06-30T08:00:00Z

where the error is:

[ERROR] KestrelSyntaxError: invalid token "LOGSOURCETYPENAME" at line 2 column 7, expects "STIXPATTERNBODY"
rewrite the failed statement.

I currently try to send the query to QRadar with kestrel.

Thanks I hope my question to be clear.