B'ad Samurai 🐐

Since DNS is on 🔥 today I should note if you're a Splunk shop, the DNS data model in Enterprise Security does not include the field for TXT record values, you need to add that manually.

Then you can do high-fidelity detections such as length and base64 with conversions looking for code.

#dns #splunk #blueteam

Jul 17 at 3:43amWeb
Show threadcR0w 3d ago
@badsamurai WTF? Lucky me my Splunk admins must have done that for me.
Show threadB'ad Samurai 🐐3d ago
@cR0w I hope when they re-align to OCSF the DMs will get an overhaul. Email is just trash. I always modify the DMs with panache. Once you tear off that bandaid it gets fun. My Web now contains geo, TLD and custom flags (double hyphens, lots of hyphens, word list lookups, UA list lookup, email in URI, etc)
Show threadcR0w 3d ago
@badsamurai I don't have enough access ( or knowledge ) to do it that way so I do it all within my queries. Not ideal but I have found interesting things while testing and tuning the queries so it could be worse.
Show threadB'ad Samurai 🐐3d ago

@cR0w The original impetus of Web customization was to allow me almost immediate 180 day search results of something I want to block via my proxy: unwanted SaaS, TLD, geo, file types, UAs. Then I'd immediately know my potential business impact of users, their roles, business units and usage/cadence.

Which has become a fairly standard process:

  • Read private and public intel reports
  • Review/draw the attack chain
  • Ask myself what the hell is $that, which is being abused and I've never heard of or considered.
  • Neat. Can we block the root $thing? E.g., trycloudflare, weebly, pythonanywhere, .rar
  • Do it immediately. Or soonish with comms? Sometimes a change control. Or cannot, crap, fine, I'll do DE.

    • I'm a lazy automation engineer. I'd much rather just block or not do a $thing than build a detection and playbook. I just sell it as tech debt avoidance and posture management so I can go outside more.

    #blueteam

    Show threadcR0w 3d ago
    @badsamurai That's fair. And I wish I could take that approach more. But getting change control to be willing to accept mitigation suggestions and with the risk of being fired for even appearing to have caused a tiny disruption, I mostly stick to the DE side and dig around. I learn more that way too, including about my own org.
    Show threadB'ad Samurai 🐐3d ago
    @cR0w I get that, unfortunately. I can only operate this way because of the trust my leadership built with the business, their trust and familiarity with how we operate, and my team's internal brand that is seen as a willing partner with b-units. We also fast track any exceptions of the more sweeping blocks with less than an hour response time--but the historical search and targeted comms makes this rare.
    Show threadcR0w 3d ago
    @badsamurai Now you're just bragging. 😉
    Show threadB'ad Samurai 🐐3d ago
    @cR0w hah! For now. I have no control of regime changes, which are an existential threat to any functioning system, or general fun.