Graphistry + Bro Logs for Faster IR and Threat Hunting

Posted by Graphistry Team on Sep 20, 2018

Incident responders and threat hunters are often facing a bit of an analytical catch-22. They typically have access to more and higher fidelity data sources than ever before, yet the volume and complexity of the data can often make it hard to see the point that matters.

Analyzing Bro logs is a good case in point. Bro can bring a ton of context and potential paths to pivot through an investigation, but this same wealth of data can quickly get impractical to use in a real investigation. Being able to see through this complexity and pivot to bring in the right context is something that graphs excel in general and Graphistry specializes in the context of an investigation. The video and walkthrough below shows how Graphistry can quickly accelerate a common investigation.




Getting Started

Let’s look at common investigation. Below we are looking at some Bro logs in Splunk, where we see some suspicious downloads that appear to GIF files but are actually executables. From here we can jump right into the investigation in Graphistry using a deeplink from within Splunk. This drops us into a pre-built Graphistry investigation template that can automatically query additional context and data sources.

Graph_Bro1


Viewing Basic Connections

Once we are are in the Graphistry template, have pre-built pivots that brings in additional context. We can just Run All Pivots and then use the UI to filter data from the pivots that we want to see.


By looking at the first pivots, we can quickly see all the IP addresses and domains that are associated with our suspect files. In the diagram each ring shows a type of data (e.g. File hash, IP address, domain, etc), and the key in the bottom right shows what each ring represents.
From this view we can quickly see the IP addresses that are associated with our suspicious files.

file_to_IP


Enrich and Expand

Next we can start to enrich our info from Bro. In the next few pivots we can pull in data from Virus Total to see if there are any hits on the suspect files and IP addresses. Below we can see we are getting a non-trivial amount of hits on our files as well as the IP addresses associated with those files. This gives a quick and easy way to verify that we are looking at a real incident.

VT_Hits-1


Expand and Hunt

Now that we know that we are looking at a real incident, we might get curious to see if other devices have been communicating with these bad IP addresses. We can enable our final two pivots and focus just on the results of those two data sources to see if we picked up any new hits.

expand_hunt-1


And from here we can quickly see a new IP address with Virus Total hits that we hadn’t seen before. So now we can continue to pull this thread to find other hosts in the network that may be affected by this same threat and see the full scope of the incident.

expand_hits


Of course, we can continue to pull this thread to expand our search. However, hopefully this provides a feel for how we can take a relatively dense set of data and visually expand to see the relationships that we care about and progressively expand to follow the natural flow of an investigation.

Topics: Bro, Incident response, threat hunting