Integrating Cisco Secure Network Analytics (SNA) with Enterprise Security and RBA

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Cisco Secure Network Analytics (SNA) provides a platform for analyzing network/flow data, enabling threat detection that might bypass existing controls. Alerts generated by Cisco SNA can be analyzed within SNA or forwarded to external systems like Splunk Enterprise Security for correlation with the broader security landscape. This guide shows you how to integrate SNA security detections with Splunk Enterprise Security, while using risk-based alerting (RBA) methodology.

This article focuses on integrating Cisco SNA Converged Security Alerts with Splunk Enterprise Security and RBA. It does not cover the integration of SNA "alarms," as they lack the necessary MITRE ATT&CK context required for full RBA integration.

This guide is available as an engagement with Splunk Professional Services. If you do not feel comfortable completing this guide on your own, or would like hands-on training with any of the concepts and processes included in this guide, contact our Professional Services experts.

Prerequisites

Splunk Enterprise Security 7.3.2 or later
Active use of Cisco Secure Network Analytics for network/flow data security analysis
SNA configured to send Converged Security Alerts to the Splunk platform, including MITRE ATT&CK context

Getting started

The following diagram illustrates the intended data flow after integration. Cisco SNA performs the primary analytics on network flow data, sending results to the Splunk platform and Splunk Enterprise Security for further correlation. Analysts can also pivot back into Cisco SNA from alerts displayed in the Splunk platform or Splunk Enterprise Security through a custom workflow action (not covered in this article).

Data flow diagram

Configure SNA to send Converged Security Alerts to the Splunk platform

SNA Converged Security Alerts can be forwarded to the Splunk platform via syslog, REST, or webhook. The recommended method is using a webhook to integrate with the Splunk platform through REST, sending HTTP POST payloads with alarm data, using the configured webhook URL (in SNA), to the HTTP Event Collector (HEC) configured in the Splunk platform.

Configure an HTTP Event Collector (HEC):
1. Create a new HEC with default settings, naming it something like "SNA Splunk."
2. Adjust global settings if needed, although you can likely leave these as default. SSL in Splunk Web is optional.
Access the Splunk Services collector page and copy the certificate.
In SNA, go to Central Management > Trust Store and add the certificate.
In Response Management, create a new webhook action to point to the HTTP Event Collector that you previously configured.
Attach the webhook action to the desired rule.

When configured, search the Splunk platform and validate that you receive the necessary alerts. A sample alert is shown below:

Sample alert validation

Define SPL to capture SNA alerts in correlation searches and detections

Cisco SNA generates hundreds of unique detections based on flow data it is analyzing in real time. These detections come in two different types of outputs: security alarms, and Converged Security Alerts. Combined, these outputs can generate hundreds or thousands of unique detections per day. For that reason, it is not practical to create "like for like" detections in Splunk Enterprise Security, as that would likely result in unnecessarily high SVC usage (leading to increased costs) and potential performance issues.

Instead, it is recommended to use a "one-to-many" approach, where you'll create one or two correlation searches to capture all Cisco SNA Converged Security Alerts to generate the applicable risk events for this type of output. Below are descriptions of security alarms and Converged Security Alerts in Cisco SNA. For the purposes of risk-based alerting, we are only going to focus on the Converged Security Alerts, as these already contain the necessary MITRE context to integrate seamlessly with RBA.

Converged Security Alerts

Security alarms

Converged Security Alerts are alerts that are created using a centralized data engine and threat detection engine to create relevant and reliable alerts. These alerts are based on context, and behavioral analytics, and are designed to be less noisy than the original SNA security alarms. The outputs of these alerts are typically more contextual than the legacy security alarms, and include MITRE context in addition to alert and asset information.

SNA security alarms, when triggered, indicate that a specific (narrowly defined) event has occurred. This can be something like a high volume of data being downloaded, lateral movement, or another typical security event. Typically a high volume of alarms due to the signature-based nature of these detections. SNA security alarms are considered legacy, and are largely being replaced by SNA converged analytics alerts. However, you likely have both enabled. SNA security alarms include some context, but do not include MITRE data.

While it's useful to understand how security alarms work, integrating SNA security alarms with Splunk Enterprise Security is not in scope for this article.

To detect and create risk events for SNA Converged Security Alerts, while capturing MITRE context, run the following search.

index=* sourcetype=httpevent alert_type=*
| eval orig_rule="Secure Network Analytics"+" - "+alert_type
| rename device_ips AS src alert_type AS signature mitre_technique_id AS annotations.mitre_attack
| stats count BY host src signature orig_rule alert_description alert_next_steps annotations.mitre_attack time_first_observed time_last_observed time_resolved

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

SPL	Description
`index=* sourcetype=httpevent alert_type=*`	Searches the index that holds SNA alerts, and filters down to converged security alerts. Edit `index=*` to search the index that holds your SNA alerts.
`\| eval orig_rule="Secure Network Analytics"+" - "+alert_type`	Creates a new field called `orig_rule` that is used later to apply and use the original alert description and signature in risk notables.
`\| rename device_ips AS src alert_type AS signature mitre_technique_id AS annotations.mitre_attack`	Renames the `mitre_technique_id` field as `annotations.mitre_attack` in order to conform with the automatic lookup that incorporates MITRE enrichment that ships with Splunk Enterprise Security.
`\| stats count BY host src signature orig_rule alert_description alert_next_steps annotations.mitre_attack time_first_observed time_last_observed time_resolved`	Formats for output.

Screenshot 2025-01-31 at 1.27.21 PM.png

Create risk events for all SNA Converged Security Alerts

To create risk events based on the search above, you'll need to embed risk attribution into SPL (allowing dynamic handling of multiple SNA alert types within a single correlation search) rather than using static risk annotations. Because you're building a one-to-many type of detection, and there are going to be several different SNA alerts and MITRE ATT&CK techniques that will need to be assigned at search time, this approach helps you avoid using the dropdown box in the correlation search editor. That box can only assign a static value that would apply to all of the unique signatures that are passed through SNA's converged security analytics.

In the Correlation Search settings, name your search, assign app context, create a description, and define the SPL.
Leave the Annotations section empty, as the MITRE technique will be added through the configured SPL.
Configure the time range, trigger conditions, and throttling as you normally would. If you are only sending these to the risk index, you will need to configure the risk analysis adaptive response action by using the alert_description variable as the risk message and assigning a standard risk score to apply to the risk object field (in this case, src). You can always configure custom risk factors to adjust risk based on the specifics of the SNA alert.

Update risk analysis data model

Update the risk analysis data model to include custom fields like orig_rule. Disable acceleration, add the auto-extracted field, and then re-enable acceleration for proper indexing. The screenshot below shows you what the data model should look like after you've added this field.

Risk Analysis Data Model update

Create notables for low likelihood/high impact SNA alerts (optional)

For specific low likelihood and high impact alerts, you can optionally configure notables using the standard method with notable adaptive response actions alongside risk analysis.

Notable event configuration

Customize out-of-the-box (OOTB) risk notables to account for SNA risk rules

There are two OOTB risk notables included with Splunk Enterprise Security:

ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 Days
Risk Threshold Exceeded for Object Over Previous 24 Hours.

You'll need to modify the SPL below to properly account for the SNA focused risk rules.

ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 Days

Make the changes in the correlation search editor for each of the following risk notables:

All text marked in blue is considered a customization.

SPL	Description
\| tstats `summariesonly` mode(All_Risk.risk_object) AS risk_object, sum(All_Risk.calculated_risk_score) AS risk_score, count(All_Risk.calculated_risk_score) AS risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) AS annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) AS mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) AS annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) AS mitre_technique_id_count, values(All_Risk.tag) AS tag, values(source) AS source, values(All_Risk.orig_rule) as orig_rule, dc(source) AS source_count, dc(orig_rule) as orig_rule_count, values(All_Risk.risk_object) AS all_risk_objects, values(All_Risk.cim_entity_zone) AS cim_entity_zone from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic_id=* BY All_Risk.normalized_risk_object,All_Risk.risk_object_type	Uses a generating command to query the risk analysis data model for risk rules and return all necessary fields. The two customizations, shown in blue, are: Return the values generated for the `orig_rule` field. This is the original signature generated in the SNA alert. Return a distinct count of `orig_rule` by `risk_object.`
\| `drop_dm_object_name("All_Risk")`	Applies formatting.
`\| eval source_count=source_count+orig_rule_count`	Changes the `source_count` value to include both `source_count` (as defined in the `tstats` generating command), and `orig_rule_count.`
`\| eval orig_source=coalesce(orig_rule,orig_source)`	Updates `orig_source` value to include the value of `orig_rule` if available.
`\| eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id'`	Standard - included in the out-of-the-box version of the search
`\| where mitre_tactic_id_count >= 3 and source_count >= 4`	Applies a standard threshold. Can be customized as necessary.

Risk Threshold Exceeded for Object Over Previous 24 Hours

SPL	Description
\| tstats `summariesonly` mode(All_Risk.risk_object) AS risk_object, sum(All_Risk.calculated_risk_score) AS risk_score, count(All_Risk.calculated_risk_score) AS risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) AS annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) AS mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) AS annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) AS mitre_technique_id_count, values(All_Risk.tag) AS tag, values(source) AS source, values(All_Risk.orig_rule) as orig_rule, dc(source) AS source_count, dc(All_Risk.orig_rule) as orig_rule_count, values(All_Risk.risk_object) AS all_risk_objects, values(All_Risk.cim_entity_zone) AS cim_entity_zone from datamodel=Risk.All_Risk BY All_Risk.normalized_risk_object,All_Risk.risk_object_type	Uses a generating command to query the risk analysis data model for risk rules and return all necessary fields. The two customizations, shown in blue, are: Return the values generated for the `orig_rule` field. This is the original signature generated in the SNA alert. Return a distinct count of `orig_rule` by `risk_object.`
\| `drop_dm_object_name("All_Risk")`	Applies formatting.
`\| eval source_count=source_count+orig_rule_count`	Changes the `source_count` value to include both `source_count` (as defined in the `tstats` generating command), and `orig_rule_count`.
`\| eval orig_source=coalesce(orig_rule,orig_source)`	Updates `orig_source` value to include the value of `orig_rule` if available.
`\| eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id', risk_threshold=100`	Standard - included in the out-of-the-box version of the search
`\| where risk_score > $risk_threshold$`	Applies a standard threshold. Can be customized as necessary.
\| `get_risk_severity(risk_score)`	Standard macro

Validate SNA alerts are represented in risk notables

Review the notable index and the Incident Review section of Splunk Enterprise Security. Ensure that the notables are being generated as expected, and the orig_source field includes the original alert description from the SNA alerts (where applicable).

Verify

Verify the following components to ensure the end-to-end set up has been completed correctly:

Risk rule(s) created to account for Cisco SNA converged security alerts.
Risk analysis data model updated to account for custom fields.
Risk notables customized to account for SNA focused risk rules.
Risk notables generating as expected.
Risk notables contain SNA alert descriptions/signatures in the orig_source field.

Additional resources

Splunk Professional Services can provide hands-on Cisco SNA guidance for you and your team. Click here to learn more about working with Professional Services.