Name: Detection Engineering in Gravwell
Start: 2023-09-18T15:53:00Z
End: 2023-09-18T15:53:12.000Z
Location: BrightTALK
Rating: 0

Gravwell is a data platform with security lake features that enables teams to investigate, collaborate, and analyze data on-demand, from any source — all with unlimited data collection and retention.

In this video series, we are going to walk through a typical Security Analyst workflow: triage. We will use multiple data sources and straightforward queries to demonstrate how Gravwell can fit right into the investigations necessary for a Security Analyst to understand the scope of a potential intrusion.

From Maldoc to Hands On Keyboard Intrusion.

Workshop Resource Link: https://update.gravwell.io/archive/threathunt-workshop/1/
Join us on Discord: https://discord.com/invite/gravwell


CTF Scenario

In this scenario, you have been tapped as an expert to help an organization investigate a potential breach.The threat hunting team lead has a hypothesis that the attackers were able to obtain access through the ssh daemon in April. Your task is to test that hypothesis and provide a report of activity during that period.

In this directory is auth.log data. You first need to stand up a Gravwell instance and ingest the data (via the GUI is easiest). Then, please answer the questions below using Gravwell search.


The following questions serve as a bit of a "roadmap" to this hunt:
How many entries are there for this time period?
How many failed entries are there for this time period?
Provide a time series bar chart of users who have successfully logged in during this time period and the query used to generate it.
Provide a geographical map of all login attempts (successful or not) during this time period and the query used to generate it. (our network enrichment kit will help)
How many successful logins occurred during this period?
Provide a stackgraph chart of the count of successful authorizations by accounts and their login methods.

Extrapolations :
Do you confirm or reject the threat hunting hypothesis?
If confirm, please explain your thoughts and provide evidence of compromise.
If reject, please explain your thoughts and provide any evidence or searches backing that conclusion.

Useful links for standup and ingestions are:
https://www.gravwell.io/community-edition - Get a Community Edition license
https://docs.gravwell.io/quickstart/quickstart.html
https://hub.docker.com/r/gravwell/gravwell/
https://github.com/gravwell/gravwell/tree/master/ingesters

Threat Hunting and Log Analysis Workshop - Part 1

Join our interactive and informative workshop to dive deep into malware and threat detection through log analysis.

Workshop Resource Link: https://update.gravwell.io/archive/threathunt-workshop/1/
Join us on Discord: https://discord.com/invite/gravwell

Our expert Corey will walk you through a real-life scenario where malware was executed on a Windows workstation. You will learn how to identify the malware and any lateral movement within the compromised environment while gaining insights into the average attacker dwell time and its implications.

Did you know? The average attacker dwell time is almost 300 days. (IBM-2022) "That's ten full months of an attacker having a presence within your environment without being detected ON AVERAGE!! Happy to discuss this more in the workshop. Go ahead and ping me in the questions chat." - Corey, workshop instructor.

During this workshop, you will discover how to build Indicators of Compromise (IOCs) to detect known malware and integrate them into your custom detection lists. We will differentiate between IOCs and threat hunting and explore the tools and techniques essential for effective malware analysis.

Threat Hunting and Log Analysis Workshop Part 2: Hunting for Malware in Logs

Get ready for an intergalactic network security adventure! Picture this: Corelight at Home and Gravwell join forces in a cybersecurity extravaganza. Join our enigmatic webinar, where a former FBI Digital Media Exploitation Analyst takes center stage. Together, we'll decode the mysteries of optimal Corelight performance, sprinkle in some 'corelight-softsensor.conf' magic, and unleash the power of Gravwell's Query Studio and Dashboards.

But wait, there's more! Brace yourselves for a cosmic encounter with KYESEC.IO, the automation wizard that'll have you saying, 'Why didn't I discover this sooner?' Secure your spot, fellow space cadets – this isn't just a webinar; it's a cybersecurity odyssey hosted by an FBI pro. Don't be the one left in the dark. Click to register and embark on a journey to the stars! #NetworkSecurityMST3K #CorelightInvasion #GravwellGalaxy

Network Analysis with a Former FBI Analyst to uncover threats

In this video, we will step through basic, common queries that a Security Operations Center analyst might use when trying to orient themselves to their data sources. 

We will use a series of exploratory queries on tabular data that has been setup with an auto extractor in advance. It is intentionally basic but builds up some basic, important tooling that any analyst would love to have available. 

We will ultimately build up to a common use case of hunting down the results of a phishing email. Viewers should walk away from this video with a better understanding of how to explore data sources within Gravwell.

Orienting a SOC Analyst In Gravwell

Security Data Lakes (SDL) are being used by more organizations to keep up with data collection, retention, scalability, and analysis requirements.
In this webinar, we will walk through how an SDL handles

- Large data volumes
- Data complexity & unstructured data
- Hybrid and multi-cloud environments

Before finishing on how to maximize the value from your SDL.

What Is A Security Data Lake

Security Data Lakes are no longer only for large organizations. With modern data and event generation, medium and smaller enterprises are increasingly taking advantage of a centralized repository to collect once and then analyze many times. Adding schema in real time enables incredible flexibility in analytics for security automation, root-cause analysis, and threat hunting.

In this webinar, we will cover 

- How to reduce your SIEM costs with a security data lake
- Using Data for root-cause analysis and forensics
- Enabling threat hunters through Gravwell's flexible search.

4 Ways To Reduce The Data Load Sent To Your SIEM

In this webinar, we will cover 

- Multi-Cloud Logging for AWS, GCP, Azure
- Kubernetes and Container Logging
- Prevent your cloud environment from sending data from one provider to another when there is no need, therefore helping with corporate data sovereignty through a federated architecture
- Steps to preserve the original format to avoid normalization and data loss allowing for more accurate route cause analysis

Transform Your Log Centralization Strategy Within Hybrid Cloud Ecosystems

In this webinar, we will cover

- A general overview of the common Sysmon Event IDs and how to interrogate the data with queries.
- Why you may want to set up a configuration file to ingest everything, and when are you ready to make that substantial change.
- How to improve your search techniques and even chart process creation grouped by EXE + Computer or even search for a specific EXE.

Collect, Search, And Analyze Windows & Sysmon Events

In this video, we cover structured vs. unstructured data. In this short video, we will walk through why structure on read allows you to ingest data in its raw format, apply structure, and search the raw logs.

Data Wardens: What Is Structure On Read

In this video, we demonstrate a realistic scenario in which two discrete, but complementary data sets are used to build a cohesive data pipeline. We will use a vectorized non-temporal lookup table in order to combine two data sets that are critical for cybersecurity investigators.

Compound Queries: Non-Temporal Joins

The purpose of this video is to showcase Gravwell’s search capabilities through a slightly different lens than those of previous videos: that of a detection engineer. 

While we are building on findings from our previous videos in this series, our objectives have shifted; namely, we are aiming to develop queries that will allow us to discover threat actor activity on a proactive basis. In support of this goal we will not be focusing expressly on query logic but rather on the findings surfaced via said queries. 

We will then transition to the Automation “Flows’ functionality to show how a query can be translated to an automated notification using no-code workflows.

Detection Engineering in Gravwell

Cyber Security

Information Security

Cyber Attacks

Cyber Defence

Cyber Incident Response

Network Detection

Network Security

Security Operations Center

Incident Response

Threat Hunting

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

The storage community on BrightTALK is made up of thousands of storage and IT professionals. Find relevant webinars and videos on storage architecture, cloud storage, storage virtualization and more presented by recognized thought leaders. Join the conversation by participating in live webinars and round table discussions.

Storage

Network infrastructure professionals understand that a reliable and secure infrastructure is crucial to enabling business execution. Join the network infrastructure community to interact with thousands of IT professionals. Browse hundreds of on-demand and live webinars and videos to learn about the latest trends in network computing, SDN, WAN optimization and more.

Network Infrastructure

Welcome to the big data and data management community on BrightTALK. Join thousands of data quality engineers, data scientists, database administrators and other professionals to find more information about the hottest topics affecting your data. Subscribe now to learn about efficiently storing, optimizing a complex infrastructure, developing governing policies, ensuring data quality and analyzing data to make better informed decisions. Join the conversation by watching live and on-demand webinars and take the opportunity to interact with top experts and thought leaders in the field.

Big Data and Data Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Detection Engineering in Gravwell

Presented by

About this talk

More from this channel