bwiese + splunk   83

Splunk App for Windows Event Logs
The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from "The Top 10 Windows Event ID's Used To Catch Hackers In The Act". See for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of "interesting processes" is based on a study by JPCERT CC (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs. The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed.

The XML dashboard is design to report Windows events rendered from the XML by using the renderXML stanza. The renderXML option reduced the volume of data to about 25% of the regular events, however some details such as the full description of the event are no longer recorded. See Feature Overview: XML Event Logs for more details.
splunk  threathunting  audit  eventid  windows  cybersecurity 
yesterday by bwiese
Splunk + Cisco = Endpoint Monitoring With No Added Installs
Cisco AnyConnect Network Visibility Module, or Cisco NVM for short
When NVM is enabled, it gathers IPFIX data from all traffic-generating processes on the system—regardless of whether or not the system has an active path to the NVM collector. When it does have a connection to a trusted network, it sends some pretty cool process execution details into your Splunk instance: process names, process hash values, parent process information, source and destination addresses and ports, and several other key bits of data. (Data collected during offline status is cached and delivered upon connection). It also regularly delivers endpoint inventory data into Splunk, so it can be used for asset tracking, too

NVM that we used it as a data source in our annual Boss of the SOC (BOTS) competition this year, which debuted at .conf18
splunk  host  endpoint  analytics  sysmon  cisco  vpn  bots  soc  ueba 
15 days ago by bwiese
FIRST - Publications (2017)
APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon -
Active Directory : How To Change a Weak Point Into a Leverage for Security Monitoring
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
Analytical Results of a Cyber Threat Intelligence Survey
cybersecurity  conference  first  apt  threathunting  dfir  splunk  cyberthreatintel 
15 days ago by bwiese
mhassan2 (Mohamad Hassan) · GitHub
Docker Splunk Orchestration script (6,000+ lines) to create fully automated pre-configured splunk site-2-site clusters or stand alone containers for your lab/training. Awesome tool for training and…
splunk  docker  github  script  orchestration 
11 weeks ago by bwiese
Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation? - Question | Splunk Answers
set search condition: status_group="New"

| `es_notable_events` | search timeDiff_type=current status_group="New" | stats sparkline(sum(count),30m) as sparkline,sum(count) as count by rule_name | sort 100 - count
september 2018 by bwiese
ThreatStream Matches As Notable Events in Splunk? Here's How...
The search looks like this:

| `ts_tstats_all` | `ts_lookup_details` | `ts_get_time_offset(_time, ts_date_last)` | where ts_confidence >= 80 AND Age < 31 AND (like(ts_itype, "apt%") OR like(ts_itype, "c2%") OR like(ts_itype, "mal%")) | eval orig_sourcetype=sourcetype
splunk  anomali  threatstream  threathunting  cyberthreatintel 
september 2018 by bwiese
Building Integrations for Splunk Enterprise Security | Splunk
Splunk ES - includes prepackaged dashboards, correlations, and incident response workflows to help security teams analyze and respond to their network, endpoint, access, malware, vulnerability, and identity information.

Use Frameworks: Notable Events, Asset & Identity, Threat Intelligence, Risk, Adaptive Response
splunk  cybersecurity  siem  threathunting 
september 2018 by bwiese
Why a SIEM Won't Solve All Your Problems: 5 Common SIEM Issues
5 Common SIEM Issues
Issue #1: A SIEM is only as good as the data you feed it
Issue #2: A SIEM requires use case implementation
Issue #3: More data does not mean better detection
Issue #4: Lack of context
Issue #5: Too much maintenance

A SIEM can be incredibly successful, but it requires all of the following:

Trained staff with knowledge in information security
Trained staff with knowledge of SIEM product (less important than above data point)
Ability to enrich data
Supports automation
Collects and uses data that matters
Applies use cases for detection purposes
siem  redcanary  cybersecurity  splunk  analytics  bestpractices 
august 2018 by bwiese
Splunk at Sandia National Labs
At Sandia National Labs, Vincent Urias, cybersecurity research strategist, supports both externally-focused organizations including the U.S. Departments of Defense and Homeland Security, as well as internally-focused cybersecurity research and development efforts. According to Urias, “We do a lot of test and evaluation. We also look at where the market is, what the gaps are, and try to fill those gaps with proofs of concept and R&D to understand where we need to invest energy, technology and people to mitigate threats or security issues in a broader fashion.”
sandia  splunk  cybersecurity  deception 
july 2018 by bwiese
fluent/fluentd - Docker Hub
Fluentd is an open source data collector, which lets you unify the data
collection and consumption for a better use and understanding of data.
splunk  docker  container  logs 
may 2018 by bwiese
Stream Real-Time Device Data into Splunk | Kepware
Tool for collecting IOT and ICS/SCADA data, traditionally to a Data Historian. Industrial Data Forwarder.
ics  scada  splunk  iot 
may 2018 by bwiese
Splunk Agrees to Acquire Phantom (Feb 2018, closed April 2018)
need from their data. I am very excited to reach this definitive agreement with Phantom and look forward to welcoming the team to Splunk.”

“Sourabh Satish and I founded Phantom to give SOC analysts a powerful advantage over their adversaries, a way to automatically and quickly resolve threats,” said Oliver Friedrichs, Founder and CEO, Phantom. “Combining SOAR with the industry’s leading big data platform is a revolutionary advance for security and IT teams and will further cut down the time it takes them to eliminate threats and keep the business running. We are thrilled to empower Splunk customers to solve these important challenges.”
splunk  phantom  siem  soar  cybersecurity  soc 
may 2018 by bwiese
Automatic Hunting for Malicious Files Crossing your Network - SANS Internet Storm Center
MISP[1] - the Malware Information Sharing Platform. I’m running a MISP instance to receive useful IOC’s (Indicator of Compromise) from multiple peers. Common IOCs are IP addresses, domain names, filenames and hashes.
Bro[2] is an NSM (Network Security Monitoring) tool that acts like a swiss-army knife on your network. The core feature that will be used here is the extraction of files from network flows. Bro is fully integrated to the SecurityOnion[3] distribution.
Splunk - as the orchestrator of the solution.
TheHive[4] - A scalable, open source and free Security Incident Response Platform
threathunting  cybersecurity  tools  bro  splunk  misp  cyberthreatintel 
april 2018 by bwiese
Hunting with Splunk: The Basics
List of several presentations and blog posts
splunk  threathunting  cybersecurity  blog  toread 
april 2018 by bwiese
Detecting the Adversary Post-Compromise with Threat Models and Behavioral Analytics (Sep 2016) - YouTube
Collecting and sharing behavioral knowledge with the cyber-defense community is the reason MITRE engineers developed the Cyber Analytics Repository, or CAR. It's a knowledge base of analytics to help cyber-defenders recognize suspicious actions occurring in their systems. CAR complements the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK) model, also developed by MITRE. ATT&CK is a framework for describing the actions that attackers take after they've gotten inside and compromised a network.
mitre  cybersecurity  threathunting  analytics  splunk 
march 2018 by bwiese
Modify Input Width - XML - Question | Splunk Answers
.input-text {
width: 150px !important;
input {
width: 140px;
splunk  techsupport  xml 
february 2018 by bwiese
Using machine learning for anomaly detection research
anomaly - “is the identification of items, events or observations which do not conform to an expected pattern or other items in a dataset.” Need to baseline for expected pattern.

getting the right data, cleaning and transforming it so that it was sufficient for his goals was the most time consuming part in the process

categorical classification to detect data points that were labeled as anomaly if they were crossing a threshold of relative change compared to the hour or day before. So according to his goal he defined conditions and engineered features that helped to model what’s normal and in relation to that what is an anomaly. In his case a RandomForestClassifier did the best jo
splunk  machinelearning  randomforest 
february 2018 by bwiese
Adaptive Response Initiative | Security and Fraud | Solution Areas | Splunk
Q: Why Is Splunk Leading the Initiative?
A: To overcome the challenges associated with bridging multiple security domains, the Splunk Adaptive Response Initiative uses Splunk software as the security nerve center. Customers have successfully implemented Adaptive Response capabilities for many years, and Splunk technology and partnerships are foundational to accomplish the mission of the initiative.

Q: What Companies Are Part of the Initiative?
A: The Adaptive Response Initiative consists of leading security domain vendors: Acalvio, AlgoSec, Anomali, AWS, BAH, Blue Coat + Symantec, Carbon Black, Cisco, Corvil, CrowdStrike, CyberArk, Cylance, Demisto, DomainTools, ForeScout, Fortinet, Gigamon, Illumio, Okta, OpenDNS, Palo Alto Networks, Phantom, Proofpoint, Qualys, Recorded Future, RedSeal, Resilient, Resolve Systems, Sailpoint, Signal Sciences, Splunk, Swimlane, Tanium, ThreatConnect, Walkoff (NSA), and Ziften.
splunk  adaptiveresponse  orchestration  cybersecurity  incidentresponse 
february 2018 by bwiese
Splunk | Education Programs - Courses for Users
Notice: The following courses; Using Splunk, Searching and Reporting with Splunk, Creating Splunk Knowledge Objects, and Splunk Infrastructure Overview are now replaced with Splunk Fundamentals 1 and Splunk Fundamentals 2 (see new learning path below).
splunk  training  courses 
february 2018 by bwiese
Featured Videos | Splunk
Solutions - Customer - Events - How-To - Product - Apps - Security
splunk  videos  training  howto  cybersecurity 
february 2018 by bwiese
Do You Know Splunk?
2017 and archived 2016
April 4: Introduction to Splunk Enterprise
April 4: Introduction to Splunk Enterprise Security
April 5: Introduction to Splunk IT Troubleshooting
April 5: Introduction to Splunk IT Service Intelligence
April 6: Developing Splunk Apps
April 6: Splunk for Threat Hunting
May 9: Introduction to Splunk Enterprise
May 9: Splunk for Public Sector Compliance (Coming Soon!)
May 11: Introduction to Splunk Enterprise Security
May 11: Introduction to Splunk IT Service Intelligence
splunk  training  workshop 
february 2018 by bwiese
Splunk for Security Investigation: Command and Control Analysis - YouTube
netflow timestamp measurements for c2 detection, time gap interval correlation. looks for consistent period (15 sec), less than 50 sec intervals, and more than 500 count :-/ oh, and domain is china
netflow  splunk  cybersecurity  video  c2  proxy  threathunting  analytics 
february 2018 by bwiese
Splunkmon — Taking Sysmon to the Next Level
Sysmon can fill gaps in visibility into Windows processes and
command line arguments
 Sysmon can be leveraged to identify threat actor reconnaissance,
lateral movement, credential harvesting, and data collection
 Sysmon can identify network connections made by specific
 Sysmon events can be forwarded to Splunk (or other SIEMs) for
searching, alerting, and dashboard visualizations
whitepaper  splunk  sysmon  cybersecurity  pdf 
february 2018 by bwiese
Gartner Reprint - Splunk Magic Quadrant for SIEM
Security and risk management leaders are implementing and expanding SIEM to improve early targeted attack detection and response. Advanced users seek SIEM with advanced profiling, analytics and response features.
splunk  gartner  research  siem  cybersecurity 
february 2018 by bwiese
GitHub - Neo23x0/sigma: Generic Signature Format for SIEM Systems
Sigma is for log files what Snort is for network traffic and YARA is for files.

Parsing of Sigma rule files
Conversion of searches into Elasticsearch and Splunk queries
analytics  log  cybersecurity  splunk  elasticsearch  sigma 
january 2018 by bwiese
Defender Spotlight: David Bianco, Security Technologist, Sqrrl
I lead the Security Technologist group at a Cambridge, MA area startup called Sqrrl.  Our product, Sqrrl Enterprise, is an incident investigation and threat hunting solution that combines Big Data to consume and store all your logs, a graph database to help see how they all relate to each other, and automated and machine-assisted analytics to help discover and get to the bottom of security incidents much more quickly than you can with traditional investigation tools like SIEM or Splunk.
splunk  sqrrl  hunting  interview 
january 2018 by bwiese
« earlier      
per page:    204080120160

related tags

adaptiveresponse  advice  ai  alerts  analytics  anomali  app  apt  attack  audit  bestpractices  blog  bom  botconf  botn  bots  bro  c2  california  cheatsheet  cim  cisco  collectd  conference  container  courses  ctf  cybersecurity  cyberthreatintel  dashboard  datamodel  deception  dfir  diacap  docker  dod  education  elasticsearch  elk  endpoint  eventid  eventids  eventlogs  examples  first  gartner  github  hec  host  housing  howto  hunting  ics  incidentresponse  interview  iot  knowledge  linux  log  logs  machinelearning  malware  misp  mitre  netflow  news  notepad  orchestration  pdf  pentest  phantom  powershell  presentation  proxy  randomforest  ransomware  realestate  redcanary  reference  regex  research  rmf  sandia  scada  script  search  seattle  siem  sigma  soar  soc  spearphishing  spl  splunk  splunkbase  sqrrl  syslog  sysmon  techsupport  threathunting  threatstream  tools  toread  towatch  training  trends  tutorial  ueba  unix  usecasae  uw  video  videos  vpn  whitepaper  windows  workflow  workshop  xml  youtube 

Copy this bookmark: