Accelerate your Investigations – Associating Assets and Identities to Log Events over Time

We have all been there at some point during a security investigation; staring at a bunch of suspect log events for a specific period of time and trying to figure out who was associated with the IP address found in the event and what asset the IP was assigned to. This task can take security teams hours and hours, depending on the investigation and usually involves trying to manually correlate various different logs or data sets together. However, what if this task could be performed in seconds? Well it can with Aura Asset Intelligence! and in this post, we will show you how this is done and how you can massively accelerate your investigations as a result.

Some Background

Aura Asset Intelligence provides continuous asset discovery for Splunk. In addition to discovering all your assets and identities, including those that you are unaware of, it also keeps a full record of all asset and identity detections and changes. This allows Aura to know exactly when an asset or identity has changed over time.

For example, a lot of people are working from home remotely due to Covid-19 and are likely logging into corporate networks over VPN, with their workstation assigned an IP addresses via DHCP. If a user logs off and another user logs in, the subsequent user could be assigned the IP address associated with the previous user. Aura detects and captures this activity and more, and leverages it for a range of intelligence driven reporting.

Use Case: Associating Assets and Identities to Firewall Logs during an incident

You are working a security investigation and have identified that some kind of incident occurred between 2pm and 4pm last Wednesday. While searching Splunk for this timeframe you come across a number of Cisco firewall and Bluecoat proxy logs that look suspicious. Unfortunately, both the firewall and proxy logs only contain source ip addresses and not the user or host associated with each event. However, in order to progress your investigation, you really need to identify who was associated with each event and what asset they were using.

To perform this task, we would launch the Forensic Activity Search view found within Aura and modify the timerange to the exact time of the incident (2-4pm last Wednesday). Then we would simply select the raw sourcetypes that we want wish to search over (in this case, cisco:asa and bluecoat). Then we hit Submit.

Now the magic happens! Behind the scenes Aura is analysing each event and accurately associating the identity (user) and asset (host) to each event based on the time of the event. It is able to perform this work in just a few seconds, not minutes or hours.

In the image below, you can see that Aura returns a list of firewall and proxy events by event type, along with the associated (or ‘matched’) user and host.

Clicking on an individual row will launch a modal popup and show the raw events. In this case we select the first row, which is a Cisco firewall event type. The popup displays two raw firewall events at this particular time and Aura has associated the user (identity) jjerde and host (asset) amadkbrgmb2nqh to each of the events, even though these attributes are not in the raw Cisco ASA data.

Clicking on View in Search, allows us to view the individual events in Splunk’s search page. If we wanted, we could easily expand this search further to see more events or a wider timeframe. The matched_host and matched_user are now accessible as field values like any other field in Splunk. Expanding an individual event, we can further investigate the host using the built-in Aura – Network Asset Investigation workflow action, as seen in the image below.

The Network Asset Investigation view in Aura now loads with the hostname pre-populated and provides some in-depth information about the host. From here we can see that Aura has identified this host as and IoT asset; specifically, an Amazon firestick media device, last seen on our network in Canada 5 days ago.

Unrivaled Power and Faster Investigations

As you can see from this simple scenario, Aura can significantly speed up your security or forensic investigations and save hours of effort. Aura quickly and accurately associates assets and identities to any event over any time in just a few seconds.

Aura Asset Intelligence runs on Splunk. If you would like to find out more or get a demo or free trial, please contact us today.

© Discovered Intelligence Inc., 2021. Unauthorised use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.