Creating McAfee ePO Alert and ARF Actions with Add-On Builder

One of the best things about Splunk is the passionate user community. As a group, the community writes amazing Splunk searches, crafts beautiful dashboards, answers thousands of questions, and shares apps and add-ons with the world.

Building high quality add-ons is perhaps one of the more daunting ways to contribute. Since the recently-updated Splunk Add-On Builder 2.0 was released, however, it’s never been easier to build, test, validate and package add-ons for sharing on SplunkBase.

Technical Add-Ons, aka TAs, are specialized Splunk apps that make it easy for Splunk to ingest data, extract and calculate field values, and normalize field names against the Common Information Model (CIM). Since the release of version 6.3, Splunk Enterprise also supports TAs for …

» Continue reading

Monitoring Vulnerability Deltas

A customer of mine runs daily vulnerability scans using a myriad of tools across servers and applications in their data center. As you would expect, they can use the native reporting capabilities of the various tools to review a given set of scan results, but if you’ve done this sort of thing before then you understand the issues associated with trying to get any real understanding by looking at disparate, clunky reporting tools, each in their own silo.

Ingesting vulnerability data into Splunk offers tons of powerful abilities while breaking down any sort of silos that could be a hindrance to correlation and true security analytics. In fact, our Common Information Model includes a Vulnerabilities model that can help normalize …

» Continue reading

Using Splunk Alerts to Set McAfee ePO System Tags

McAfee ePolicy Orchestrator (henceforth, “ePO”) is a tool used by many organizations to manage McAfee (now Intel Security) endpoint security products on their servers and endpoints. If you use ePO, you know how useful ePO system tags can be. For example, you can automatically or manually tag a system in ePO with a “pci” tag and have different anti-virus policies and actions applied to it versus systems lacking that tag.

There are many cases in which a security team using Splunk to discover issues with a server or endpoint would get a lot of value from having a Splunk search automatically apply a tag to a particular system in ePO. For example, imagine a Splunk search through IPS logs or …

» Continue reading

Using Alerts to Send Data to Amazon S3

A customer recently asked me to prove a concept where Splunk could see a certain type of incoming event and then pass information from that event into their Amazon S3 storage. I knew that Splunk could create alerts for event conditions and then fire off a script when the alert triggers, but I had never made it work with Amazon S3.

I decided to implement this using Amazon’s Boto library for Python. There’s lots of good documentation on this library here, but the short of it is that it enables you to send data to a bucket on Amazon S3 programmatically through a Python script. As you may know, Splunk comes with its own Python implementation can easily run …

» Continue reading

Battling APTs with the Kill Chain Method

Recently I had the privilege of presenting to a monthly meeting of the Raleigh, NC chapter of the ISSA. My presentation focused on educating the audience of security professionals on advanced persistent threats (APTs) and how they can use the kill chain method to battle them. I’d like to share some of the key points and highlights here in an effort to help readers better defend themselves against motivated attackers.

There are 3 main points about APTs that must be established before we dive into the kill chain method itself, namely:

1)    Unlike automated, technology-driven attacks of years past, APTs are driven by a combination of people, processes, and technology. APTs are therefore goal-oriented (financial, political, etc.), human-directed, coordinated, …

» Continue reading