Cisco Security Suite 3.0.2 now includes Cisco IronPort Email Security Appliance (ESA) Data

The Cisco Security Suite app continues to get updated for Splunk 6.x.  The latest addition is support to Cisco IronPort Email Security Appliance (ESA).  A new add-on has been published that provides Common Information Model compliant field extractions and tags for data from Cisco ESA.  So now, the Cisco Security Suite supports:

  • Cisco ASA and PIX firewall appliances, the FWSM firewall services module
  • WSA web security appliance
  • Cisco IronPort Email Security Appliance (ESA)
  • Cisco Identity Services Engine (ISE)

Also, with each release, we incorporate more feedback about documentation.  So, in addition to documentation found within the Cisco Security Suite app itself, a subset of “getting started” documentation has been published under the Documentation tab on


Stay tuned, there …

» Continue reading

Fix now available: Splunk and the Heartbleed vulnerability

Dear Splunk users,

This is an update to yesterday’s post on our handling of the OpenSSL Heartbleed vulnerability.  Thank you again for your patience and understanding as we spent the necessary time to prepare and test our fix for this important issue. As I mentioned yesterday, we are working hard to balance getting the fix out to you as quickly as possible while still spending sufficient time testing it to ensure a high quality delivery.

Take me to the fix!

As of now, Splunk Enterprise 6.0.3 is now available for download. This includes universal forwarder builds.

This release contains two fixes for vulnerabilities in OpenSSL:

  • CVE-2014-0160 – OpenSSL 1.0.1 TLS Heartbeat leaks sensitive information (also known as the “Heartbleed”
» Continue reading

Splunk and the Heartbleed SSL vulnerability

(Update: we’ve posted a fix for this issue, see

Dear Splunk users,

As you’re likely aware, a significant vulnerability in OpenSSL, which the security community is calling the “Heartbleed” vulnerability, was discovered and publicized earlier this week. This is not a bug in code that Splunk produced, but rather in a component of a package that is in common use throughout the software industry.

The purpose of this blog post is to inform you about what Splunk is doing to address this issue.   For more detailed information about the vulnerability itself, refer to

Here’s what you need to know:

What versions of Splunk are affected?

  • Splunk Enterprise versions 6.0, 6.0.1, and 6.0.2 are affected. This includes
» Continue reading

The 2014 CyberPatriot National Finals

This blog post was jointly written by Tolga Tohumcu and Bert Hayes… Tolga mentored the student teams before the completion, Bert was on-site at the competition to help out in person, and Enoch Long was working behind the scenes to build relationships with folks running the competition.


The 2014 CyberPatriot National Finals took place recently at the Gaylord National Resort and Conference Center in National Harbor, Maryland with all of the spectator appeal of a competitive archeological dig.  Two shifts of high school aged students made up a total of twenty eight different “Blue Teams” and tested their mettle by defending their networks from a pack of active, aggressive, and skilled attackers (the Red Team). The CyberPatriot program …

» Continue reading

Cisco Security Suite 3.0.1 – Now with ISE

The Cisco Security Suite was recently updated to work with Splunk 6.  As mentioned in the previous release, one release is not enough to get all the Cisco security related information integrated into the suite.  With version 3.0.1 of the Cisco Security Suite, Cisco Identity Services Engine (ISE) has been added.  Over 20 ISE-related dashboards have been integrated into the suite.

Cisco with ISE



ISE is really powerful and adds a lot of additional data that can be correlated.  For instance, say you have an IP address from somewhere in your environment.  ISE can tell you which user is using that IP, what type of device the user is using, the posture of the device, and much more.  Therefore, in …

» Continue reading

Splunk and The Top 10 CIO Priorities for State and Local Goverment

On November 5, 2013, National Association of State Chief Information Officers (NASCIO) released a member service document representing the top 10 state CIO priorities for 2014. The list presents no surprises as state CIOs try to do more with less extracting the most value out of every dollar, providing constituent services, protecting customer data and preventing data breaches.  The list is almost a mirror image of the benefits our customers are seeing with Splunk. I won’t go through the whole list but lets look at the top three.

Security is the number one priority for state CIOs in 2014:

“Security: risk assessment, governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third party security

» Continue reading

Using Watchlists to Your Advantage

The Splunk App for Enterprise Security comes with correlation searches that generate notable events. The correlation search for Watchlisted Event Observed is a great template for generating notable events for specific watch lists. You can setup watchlist tags to generate notable events from specific security concerns, such as a missing laptop or suspicious domains.

The correlation search for Watchlisted Event Observed is:

tag=watchlist NOT sourcetype=stash | `get_event_id` | `map_notable_fields`

Make your operations security staff happy and use this correlation search as a template to create other correlation searches for specific watchlists. These new watchlists for other notable events have more context as a result.

To do this, disable the Watchlisted Event Observed correlation search if you have it enabled (it’s …

» Continue reading

Introducing: The Splunk App for Okta

I alluded to this last week in my post about Okta-ing Splunk–we’re now Splunking Okta! Today, the Splunk App for Okta went live on Splunk Apps and we’ve already gained value from looking at how our Splunkers are logging into apps.…

» Continue reading

Splunk SSO using SAML through Okta

Protip: reading to the end will yield a sneak peek of a new, upcoming Splunk app!

The Background

Almost 10 months ago, Splunk chose Okta as its federated identity management and single sign-on (SSO) vendor. There were several benefits from this project including multifactor authentication (MFA) for our business applications and VPN, user experience enhancements by not requiring Splunkers to remember multiple passwords, and instant deprovisioning once an Active Directory account was terminated.

As part of our ongoing efforts to make Splunk’s instance of Splunk (affectionately dubbed “Splunk(x)”) more valuable to the business, we made the decision to provision multiple, purpose-built search heads. We have a search head that serves as a primary point-of-entry, a search head for our Enterprise

» Continue reading

“Best of SIEM” 2013 award from the readers of TechTarget

It’s a great time to be doing product marketing for security here at Splunk. Especially because the security awards & accolades keep on coming :) Just last week we won the “Best of SIEM” 2013 award by the readers of TechTarget’s Information Security magazine and These awards are especially meaningful because it is you, our customers, who vote on them. You use our software for a wide range of security use cases, get tremendous value out of it, and this is reflected in our Gold award. Thank you!

See the full award here. Some great snippets from the write-up include: “Splunk’s flagship SIEM system, a security tool for machine-generated big data, received top scores across the board.”…….“Splunk indexes ACSII …

» Continue reading