Class 7 Lab 4 ‐ Creating a Playbook - Justin-Boyd/CIT-Class GitHub Wiki

Task 1: Locate a Suspicious IP

Step 1

Step 2

  • Scroll down and select an IP address from the Recently Reported IPs list.
  • Note: The list of IPs changes frequently and may look different from the screenshot below.
  • The demonstration uses 124.65.181.218.

Step 3

  • Click Activities, search for the terminal and open it.

Step 4

  • Ping the selected IP address from your Ubuntu machine. Use Ctrl + c to stop the execution.

Task 2: Forward Logs

Step 1

  • Open a new tab in the browser and browse to 10.0.0.1. Log in with username admin and password Aa123456!.

Step 2

  • Click Services and select Snort.

Step 3

  • Navigate to Alerts and note the alert about the ping to the malicious IP address.
  • Note: The rule that captures the IP address was created in CIT-05-L2.

Step 4

  • Click Status and select System Logs.

Step 5

  • Navigate to Settings.

Step 6

  • Scroll down to Remote Logging Options and make sure the box that says Send log messages to remote syslog server is selected.

Step 7

  • Add another remote log server by typing 10.0.0.3:25514, select Everything, and click Save.

Task 3: Install Splunk TA

Step 1

  • Click the folder icon in the menu on the left to open the file explorer, and navigate to the Downloads directory.

Step 2

  • Drag and drop the Splunk TA & App for pfSense by A3Se file to the Downloads folder.

Step 3

  • Use the command sudo /opt/splunk/bin/splunk start

Step 4

  • Browse to 127.0.0.1:8000, and log in with username admin and password Aa123456.

Step 5

  • Click the cog icon next to Apps.

Step 6

  • Click Install app from file.

Step 7

  • Click Browse.

Step 8

  • Select the file ta-and-app-for-pfsense-by-a3sec_01 and click Open.

Step 9

  • Click Upload.

Task 4: Accept Logs from pfSense

Step 1

  • Click the Splunk icon.

Step 2

  • Note the newly added App, and click Splunk TA & App for pfSense by A3Sec.

Step 3

  • Click Settings and then Indexes.

Step 4

  • Click New Index.

Step 5

  • Name the index gw_pfsense, and click Save.

Step 6

  • Click Settings and select Add Data.

Step 7

  • Scroll down and click Monitor.

Step 8

  • Select TCP/UDP on the left, select UDP on the right, and enter port 25514. Then click Next to continue.

Step 9

  • Click Select Source Type, type pfSense in the search box, and select pfSense_syslog.

Step 10

  • Scroll down and select the gw_pfsense index, and click Review.

Step 11

  • Click Submit.

Task 5: Create a Cortex XSOAR (Demisto) Incident

Step 1

  • Ping one of the recently reported IP address you chose from your Ubuntu machine. Use Ctrl + c to stop the execution.

Step 2

  • Click Apps and then Splunk TA & App for pfSense by A3Sec.

Step 3

  • Click Search.

Step 4

  • In the search bar, type index="gw_pfsense" AND {ICMP} and click the search icon.

Step 5

  • Click the arrow icon in a log that contains the malicious IP as the source.

Step 6

  • Click Event Actions and then Extract Fields.

Step 7

  • Select Regular Expression and click Next.

Step 8

  • Highlight the date and time, name the field timestamp, and click Add Extraction.

Step 9

  • Highlight the sid, name it sid, and click Add Extraction

Step 10

  • Highlight the protocol description, name its description, and click Add Extraction.

Step 11

  • Highlight the ICMP protocol, name it protocol, and click Add Extraction.

Step 12

  • Highlight the source IP address, name it src_ip, and click Add Extraction.

Step 13

  • Highlight the destination IP address, name it dst_ip, and click Add Extraction.

Step 14

  • Click Next.

Step 15

  • Click Finish.

Step 16

  • Go back to the search and refine it using the newly extracted fields:
index="gw_pfsense" AND protocol="{ICMP}" src_ip="<the ip of the malicious site>"

Step 17

  • Click Save As and then Alert.

Step 18

  • Configure the alert as follows:
    • Title: Suspicious_ping
    • Alert type: Real-time
    • Click Add Actions, and add Add to Triggered Alerts and Create Demisto Incident.

Step 19

  • Update the Cortex XSOAR (Demisto) incident section as follows:
    • Name: "Suspicious ping to host $result.host$"
    • Demisto server: Ubuntu's IP address
    • Click Save.

Step 20

  • Click Continue Editing

Step 21

  • In the terminal, use the command ping -c 2 to generate the incident in Demisto.

Task 7: Inspect the Cortex XSOAR (Demisto) Incident

Step 1

  • In a new tab, browse to https://127.0.0.1 and log in with username admin and password Aa123456.

Step 2

  • Note that two incidents are displayed on the main page.

Step 3

  • Hover over the left menu and click Incidents.

Step 4

  • Click the new incident's ID.

Step 5

  • Click War Room, scroll up and note the information from Splunk. Note the incident number and write it down for use later on in this lab.

Task 8: VirusTotal Playbook

Step 1

Step 2

  • Fill in your information for the account, and click Join us.

Step 3

  • A page will appear indicating a successful sign-up, informing you that a verification email was sent for account activation.

Step 4

  • Browse to your email box and activate the VirusTotal account by clicking the activation link.

Step 5

  • Click Sign in.

Step 6

  • Enter the email address and password, and click Sign in.

Step 7

  • Click your profile, and then click API key.

Step 8

  • Copy the API key.

Step 9

  • In Cortex XSOAR (Demisto), hover over the left menu and click Settings.

Step 10

  • Search for VirusTotal in the search field and click Add instance for VirusTotal.

Step 11

  • Paste the API key, scroll down, change IP threshold to 1, and click Done.

Step 12

  • Hover over the left menu and click Playbooks.

Step 13

  • Click New Playbook.

Step 14

  • Name the playbook IP Summary.

Step 15

  • In the task library, search for virustotal and click the + sign.

Step 16

  • Scroll down, locate the ip box, and click Add.

Step 17

  • Name it Check IP reputation on VirusTotal, and click {} in the IP text field.

Step 18

  • Click Filters And Transformers.

Step 19

  • In the first text field, type incident.labels.src_ip and click OK.

Step 20

  • Click OK.

Step 21

  • Connect the boxes.

Step 22

  • Save the playbook by clicking the floppy disk icon in the top right corner.

Step 23

  • Click the Cortex XSOAR (Demisto) icon and go to incidents.

Step 24

  • Type the incident number that you noted in Lab task 7 Step 5 into the search box in the upper-left hand corner of the screen. Hit Enter to search for that incident.

Step 25

  • Click “Go To” on the incident box with the correct ID number.

Step 26

  • Click on Work Plan.

Step 27

  • Hit the drop-down for Default and type in the playbook name IP Summary.

Step 28

  • There will be a popup displayed; click Yes I know what I am doing.

Step 29

  • Here you will see the playbook run.

Step 30

  • Click on the box labeled “Check IP Reputation on VirusTotal” to see the results of the IP reputation scan.