bwiese + splunk   70

mhassan2 (Mohamad Hassan) · GitHub
splunk-n-box
Docker Splunk Orchestration script (6,000+ lines) to create fully automated pre-configured splunk site-2-site clusters or stand alone containers for your lab/training. Awesome tool for training and…
splunk  docker  github  script  orchestration 
20 days ago by bwiese
Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation? - Question | Splunk Answers
set search condition: status_group="New"

| `es_notable_events` | search timeDiff_type=current status_group="New" | stats sparkline(sum(count),30m) as sparkline,sum(count) as count by rule_name | sort 100 - count
splunk 
6 weeks ago by bwiese
ThreatStream Matches As Notable Events in Splunk? Here's How...
The search looks like this:

| `ts_tstats_all` | `ts_lookup_details` | `ts_get_time_offset(_time, ts_date_last)` | where ts_confidence >= 80 AND Age < 31 AND (like(ts_itype, "apt%") OR like(ts_itype, "c2%") OR like(ts_itype, "mal%")) | eval orig_sourcetype=sourcetype
splunk  anomali  threatstream  threathunting  cyberthreatintel 
6 weeks ago by bwiese
Building Integrations for Splunk Enterprise Security | Splunk
Splunk ES - includes prepackaged dashboards, correlations, and incident response workflows to help security teams analyze and respond to their network, endpoint, access, malware, vulnerability, and identity information.

Use Frameworks: Notable Events, Asset & Identity, Threat Intelligence, Risk, Adaptive Response
splunk  cybersecurity  siem  threathunting 
6 weeks ago by bwiese
Why a SIEM Won't Solve All Your Problems: 5 Common SIEM Issues
5 Common SIEM Issues
Issue #1: A SIEM is only as good as the data you feed it
Issue #2: A SIEM requires use case implementation
Issue #3: More data does not mean better detection
Issue #4: Lack of context
Issue #5: Too much maintenance


A SIEM can be incredibly successful, but it requires all of the following:

Trained staff with knowledge in information security
Trained staff with knowledge of SIEM product (less important than above data point)
Ability to enrich data
Supports automation
Collects and uses data that matters
Applies use cases for detection purposes
siem  redcanary  cybersecurity  splunk  analytics  bestpractices 
8 weeks ago by bwiese
Splunk at Sandia National Labs
At Sandia National Labs, Vincent Urias, cybersecurity research strategist, supports both externally-focused organizations including the U.S. Departments of Defense and Homeland Security, as well as internally-focused cybersecurity research and development efforts. According to Urias, “We do a lot of test and evaluation. We also look at where the market is, what the gaps are, and try to fill those gaps with proofs of concept and R&D to understand where we need to invest energy, technology and people to mitigate threats or security issues in a broader fashion.”
sandia  splunk  cybersecurity  deception 
july 2018 by bwiese
fluent/fluentd - Docker Hub
Fluentd is an open source data collector, which lets you unify the data
collection and consumption for a better use and understanding of data.
splunk  docker  container  logs 
may 2018 by bwiese
Stream Real-Time Device Data into Splunk | Kepware
Tool for collecting IOT and ICS/SCADA data, traditionally to a Data Historian. Industrial Data Forwarder.
ics  scada  splunk  iot 
may 2018 by bwiese
Splunk Agrees to Acquire Phantom (Feb 2018, closed April 2018)
need from their data. I am very excited to reach this definitive agreement with Phantom and look forward to welcoming the team to Splunk.”

“Sourabh Satish and I founded Phantom to give SOC analysts a powerful advantage over their adversaries, a way to automatically and quickly resolve threats,” said Oliver Friedrichs, Founder and CEO, Phantom. “Combining SOAR with the industry’s leading big data platform is a revolutionary advance for security and IT teams and will further cut down the time it takes them to eliminate threats and keep the business running. We are thrilled to empower Splunk customers to solve these important challenges.”
splunk  phantom  siem  soar  cybersecurity  soc 
may 2018 by bwiese
Automatic Hunting for Malicious Files Crossing your Network - SANS Internet Storm Center
MISP[1] - the Malware Information Sharing Platform. I’m running a MISP instance to receive useful IOC’s (Indicator of Compromise) from multiple peers. Common IOCs are IP addresses, domain names, filenames and hashes.
Bro[2] is an NSM (Network Security Monitoring) tool that acts like a swiss-army knife on your network. The core feature that will be used here is the extraction of files from network flows. Bro is fully integrated to the SecurityOnion[3] distribution.
Splunk - as the orchestrator of the solution.
TheHive[4] - A scalable, open source and free Security Incident Response Platform
threathunting  cybersecurity  tools  bro  splunk  misp  cyberthreatintel 
april 2018 by bwiese
Hunting with Splunk: The Basics
List of several presentations and blog posts
splunk  threathunting  cybersecurity  blog  toread 
april 2018 by bwiese
Detecting the Adversary Post-Compromise with Threat Models and Behavioral Analytics (Sep 2016) - YouTube
Collecting and sharing behavioral knowledge with the cyber-defense community is the reason MITRE engineers developed the Cyber Analytics Repository, or CAR. It's a knowledge base of analytics to help cyber-defenders recognize suspicious actions occurring in their systems. CAR complements the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK) model, also developed by MITRE. ATT&CK is a framework for describing the actions that attackers take after they've gotten inside and compromised a network.
mitre  cybersecurity  threathunting  analytics  splunk 
march 2018 by bwiese
Modify Input Width - XML - Question | Splunk Answers
.input-text {
width: 150px !important;
}
input {
width: 140px;
}
splunk  techsupport  xml 
february 2018 by bwiese
Using machine learning for anomaly detection research
anomaly - “is the identification of items, events or observations which do not conform to an expected pattern or other items in a dataset.” Need to baseline for expected pattern.

getting the right data, cleaning and transforming it so that it was sufficient for his goals was the most time consuming part in the process

categorical classification to detect data points that were labeled as anomaly if they were crossing a threshold of relative change compared to the hour or day before. So according to his goal he defined conditions and engineered features that helped to model what’s normal and in relation to that what is an anomaly. In his case a RandomForestClassifier did the best jo
splunk  machinelearning  randomforest 
february 2018 by bwiese
Adaptive Response Initiative | Security and Fraud | Solution Areas | Splunk
Q: Why Is Splunk Leading the Initiative?
A: To overcome the challenges associated with bridging multiple security domains, the Splunk Adaptive Response Initiative uses Splunk software as the security nerve center. Customers have successfully implemented Adaptive Response capabilities for many years, and Splunk technology and partnerships are foundational to accomplish the mission of the initiative.

Q: What Companies Are Part of the Initiative?
A: The Adaptive Response Initiative consists of leading security domain vendors: Acalvio, AlgoSec, Anomali, AWS, BAH, Blue Coat + Symantec, Carbon Black, Cisco, Corvil, CrowdStrike, CyberArk, Cylance, Demisto, DomainTools, ForeScout, Fortinet, Gigamon, Illumio, Okta, OpenDNS, Palo Alto Networks, Phantom, Proofpoint, Qualys, Recorded Future, RedSeal, Resilient, Resolve Systems, Sailpoint, Signal Sciences, Splunk, Swimlane, Tanium, ThreatConnect, Walkoff (NSA), and Ziften.
splunk  adaptiveresponse  orchestration  cybersecurity  incidentresponse 
february 2018 by bwiese
Splunk | Education Programs - Courses for Users
Notice: The following courses; Using Splunk, Searching and Reporting with Splunk, Creating Splunk Knowledge Objects, and Splunk Infrastructure Overview are now replaced with Splunk Fundamentals 1 and Splunk Fundamentals 2 (see new learning path below).
splunk  training  courses 
february 2018 by bwiese
Featured Videos | Splunk
Solutions - Customer - Events - How-To - Product - Apps - Security
splunk  videos  training  howto  cybersecurity 
february 2018 by bwiese
Do You Know Splunk?
2017 and archived 2016
April 4: Introduction to Splunk Enterprise
April 4: Introduction to Splunk Enterprise Security
April 5: Introduction to Splunk IT Troubleshooting
April 5: Introduction to Splunk IT Service Intelligence
April 6: Developing Splunk Apps
April 6: Splunk for Threat Hunting
May 9: Introduction to Splunk Enterprise
May 9: Splunk for Public Sector Compliance (Coming Soon!)
May 11: Introduction to Splunk Enterprise Security
May 11: Introduction to Splunk IT Service Intelligence
splunk  training  workshop 
february 2018 by bwiese
Splunk for Security Investigation: Command and Control Analysis - YouTube
netflow timestamp measurements for c2 detection, time gap interval correlation. looks for consistent period (15 sec), less than 50 sec intervals, and more than 500 count :-/ oh, and domain is china
netflow  splunk  cybersecurity  video  c2  proxy  threathunting  analytics 
february 2018 by bwiese
Splunkmon — Taking Sysmon to the Next Level
Sysmon can fill gaps in visibility into Windows processes and
command line arguments
 Sysmon can be leveraged to identify threat actor reconnaissance,
lateral movement, credential harvesting, and data collection
 Sysmon can identify network connections made by specific
processes
 Sysmon events can be forwarded to Splunk (or other SIEMs) for
searching, alerting, and dashboard visualizations
whitepaper  splunk  sysmon  cybersecurity  pdf 
february 2018 by bwiese
Gartner Reprint - Splunk Magic Quadrant for SIEM
Security and risk management leaders are implementing and expanding SIEM to improve early targeted attack detection and response. Advanced users seek SIEM with advanced profiling, analytics and response features.
splunk  gartner  research  siem  cybersecurity 
february 2018 by bwiese
GitHub - Neo23x0/sigma: Generic Signature Format for SIEM Systems
Sigma is for log files what Snort is for network traffic and YARA is for files.

Parsing of Sigma rule files
Conversion of searches into Elasticsearch and Splunk queries
analytics  log  cybersecurity  splunk  elasticsearch  sigma 
january 2018 by bwiese
Defender Spotlight: David Bianco, Security Technologist, Sqrrl
I lead the Security Technologist group at a Cambridge, MA area startup called Sqrrl.  Our product, Sqrrl Enterprise, is an incident investigation and threat hunting solution that combines Big Data to consume and store all your logs, a graph database to help see how they all relate to each other, and automated and machine-assisted analytics to help discover and get to the bottom of security incidents much more quickly than you can with traditional investigation tools like SIEM or Splunk.
splunk  sqrrl  hunting  interview 
january 2018 by bwiese

Copy this bookmark:



description:


tags: