Almost anyone who has spent time around SIEM and security operations have seen a security event management funnel. I started building these in ArcSight in 2008 and 2009 for my ArcSight customers. I would have 10 to 12 scheduled reports in ArcSight that would output .csvs and then combine those into a master workbook with a bunch of formulas then would have to copy and paste into a PowerPoint or wiki. The original funnel looked like this:
Fast forward to 2019. This task can be automated using the JASK platform and its APIs. Gone are the need for complex formulas and manually updating numbers. Simply open the Google slide every thirty days and metrics are auto-generated. This can be done in one easy solution using Google Sheets, as described below.
1) Download https://github.com/bradjasper/ImportJSON/blob/master/ImportJSON.gs and install it as a script in Google Sheets.
2) Get API KEY from the JASK Portal
3) Insert the following into a cell in Google Sheets to get the number of records.
4) Insert the following into a cell in Google Sheets to get number of signals.
5) Insert the following into a cell in Google Sheets to get the number of insights.
6) My Google Sheet now looks like this:
7) Create a new Google slide. Create a reverse pyramid smart graphic. I had to copy and paste one from Powerpoint.
8) Select and copy the data you need. Is your report usually weekly or monthly? In this case, I selected monthly.
9) Finished Automated Security Event Funnel. Simply open the slide every month and click update. The metrics are automatically updated!
One thing that stands out between the funnels is that in the old funnel, there were almost 5,000,000 correlations, yet only 10,448 were triaged/investigated. That means a large amount of filtering is done to look at events of interest. With JASK and the Adaptive Signal Clustering Engine, it continuously evaluates signals/correlations as they relate to an entity – there is no filtering, so all 319,300 signals are evaluated.
This is just the beginning. In future blog posts, we will discuss other workflow related metrics to pull out of the API. JASK has a very well documented and easy to use API which can be found on Github.
Steven Dietz is technical director of field operations at JASK. With over 18 years of information security experience ranging from being an analyst to building world-class security operations, he demonstrates to potential customers how and why to use JASK products.