Splunk Add-on > Where’s That Command – Converting a Field’s Hexadecimal Value to Binary

When looking through Splunk’s Search Reference Manual, there are a ton of search commands with their syntax, descriptions, and examples.  After all, if Splunk is the platform for machine data, there needs to be an extensive list of commands, functions, and references that guide Splunkers through the Search Processing Language (SPL).  But one would think that we had everything covered, right?  Well, almost….

I have a couple of great customers from the Houston, Texas area to thank for this.  Gabe and Andrew (you know who you are) are not only strong Splunkers, but frequent the Splunk Houston User Group (SHUG) meetings and are always looking for ways to expand their use of Splunk as well …

» Continue reading

Splunk Selected as Jabil’s Global Security Nerve Center

Jabil_50We know how important the ability to quickly detect, investigate and respond to security threats is in protecting the organization from cyberattacks. We also know that investing in security solutions is a careful and meticulous process. This is why we’re honored that global manufacturing services company, Jabil Circuit, Inc., has selected Splunk Enterprise Security (ES) as its global security nerve center and expanded its use of Splunk Enterprise for IT Operations across its global infrastructure.

With more than 100 facilities in 28 countries – and more than 180,000 employees, Jabil has been using Splunk Enterprise for a number of years to monitor the health of those global networks. Adopting Splunk ES as the security nerve center at Jabil was …

» Continue reading

SSO without an Active Directory or LDAP provider


(Hi all–welcome to the latest installment in the series of technical blog posts from members of the SplunkTrust, our Community MVP program. We’re very proud to have such a fantastic group of community MVPs, and are excited to see what you’ll do with what you learn from them over the coming months and years.
–rachel perkins, Sr. Director, Splunk Community)

Hello everyone!

I am Michael Uschmann, one of the members of the SplunkTrust.

Lately I was annoyed by the fact that I had to enter my login on my Splunk DEV VM after a meeting or break. So, I thought ‘Why not setup SSO on this Splunk instance so I don’t have to enter my password again?’ But there was this …

» Continue reading

Introducing Splunk Security Use-Cases

Screen Shot 2016-02-03 at 9.13.33 AMOne of the top challenges faced by Splunk customers and Security practitioners is to keep up with the increase in new cyber attacks while investigating and remediating existing threats. Time is of essence while investigating potential threats and determining the scope and root-cause of a potential reach. Shortage of resources and experienced personnel continues to limit the ability to conduct thorough investigations.

To mitigate this persistent problem, Splunk recently introduced new security use case descriptions. These use case descriptions are ready-to-use examples of how to use Splunk security solutions to quickly identify the scope of attacks, determine mitigation options and take remedial activity.

These use case descriptions solve ambiguous as well as known security problems using actionable examples. They …

» Continue reading

Top Technical Questions on Splunk UBA

With the acquisition of Caspida (now Splunk UBA) in July of 2015, we have been talking to many customers regarding user and entity behavioral analytics. Our customers have been asking questions about how this type of threat detection product works, and in this blog, I’m going to discuss some of the most common questions, along with answers and/or explanations from a security researcher and practitioner’s viewpoint.


What makes Splunk UBA unique compared to detection technologies?

Splunk UBA uses an unsupervised machine-learning based approach to determine whether events generated from multiple data sources are anomalies and/or threats. This is a turnkey approach that does not require customers to train the models, and does not require administrators to develop signatures in …

» Continue reading

Rapid Response and Discovery (RRD) – Stop chasing alerts and start raising the cost for the adversary

In this discussion we will learn why RRD is an absolute necessity. We will establish the core capabilities required for RRD. Then we will walk through how ES 4.0 delivers on the capabilities for RRD. Finally, we’ll show how we can extend RRD and add our own flavor using the existing capability in Splunk Enterprise and ES 4.0.

State of Affairs for Cyber Operations

Cyber operations teams receive far more alerts than they can handle. Once they receive an alert, analysts spend a lot of time manually connecting the dots. As a result, alerts drive the cyber posture for an organization. And cyber operations teams are stuck in a never-ending loop of chasing individual incidents. As a result, operations teams …

» Continue reading

Splunk Integrations with Cisco Security Expand with new AnyConnect NVM App

Together, Splunk and Cisco have collaborated to deliver out-of-the-box visibility for more than dozen security products and platforms including multiple Cisco firewalls, Identity Services Engine (ISE), pxGrid, Sourcefire IDS, Advanced Malware Protection, IPS, and various email and web security offerings.

Cisco has just released a new app for Splunk that focuses on user and endpoint usage data by Cisco AnyConnect. Cisco AnyConnect Network Visibility Module (NVM) enables organizations to monitor users on the network while providing additional contextual information such as users, applications, devices, locations and destinations. This rich data can be used by networking, application and security teams to support application capacity planning, troubleshooting, and advanced threat detection.

Cisco-AnyConnect-NVM-App-Home-MedThe Cisco AnyConnect Network Visibility (NVM) App for Splunk streamlines the collection and reporting …

» Continue reading

Splunk at the Wall for DEF CON 23 – Part II

­­­­Splunk at the Wall for DEF CON 23 – Part II

Hello again. Since the initial post, we’ve released the app developed for the Wall of Sheep. I’m going to go over the functionality here.

To review, the WoS app is meant to be a proof of concept that shows the type of data that traverses the wire, in the clear. Some of the data is innocuous, but we try to highlight the data that could be used by adversaries targeting your data. In fact, you may not even know that you have software using insecure protocols, so it pays to dig in and find out.

Before we go through the various dashboards, I want to comment on …

» Continue reading

Security Forecast for 2016

1215-f-predictions-cover_8805752016 is off to a cracking start with security news – tech announcements, nation state threats, new challenges and new opportunities. Lots of people have made predictions on what we can expect in the next 12 months?

haiyansong_892575Our Vice President of Security Markets, Haiyan Song, takes a different approach for these predictions in SC Magazine. She focuses on action, results, and preparedness. Haiyan notes that as we enter the new year, both government and industry will need to demonstrate how they learned from last year’s cyber mistakes. According to Haiyan, now is the time for the private and public sectors to reexamine cybersecurity strategy, invest in the right technology, bring focus back to people and put new ideas into action. Haiyan encourages the community to evolve our way out of 2015 – the year of the breach – and begin to pivot towards …

» Continue reading

Discover and Monitor Juniper Vulnerability CVE-2015-7755 Exploits with Splunk

Hello Security Ninjas,

The recent Juniper firewall vulnerability (CVE-2015-7755) is another version of what has been coined as a “high-impact vulnerability”. Such vulnerabilities are characterized as having a wide distribution and high risk of exploitation. Previous examples include Heartbleed (CVE-2014-0160) and Shellshock (CVE-2014-6271). This vulnerability is a little different as it affects a commercial product and more specifically a network security device, putting many enterprise organizations at substantial risk. Kenneth Westin, Specialist in our security division, made a review of the latest Juniper OS Vulnerability:

According to Juniper the ScreenOs vulnerability (CVE-2015-7755) allows unauthorized remote administrative access to the firewall, which if exploited can lead to complete compromise of the affected …

» Continue reading