Contextualize your data with threat intelligence information from Project Honey Pot

Greetings Splunk Ninjas,

this is my first blog post. I’m a Splunk EMEA specialist and work in the IT industry nearly 10 years. 7 of them with Software Vendors in the IT-Security space. I worked already with many large companies to improve their environments in many ways.

Some time ago I posted on Splunk Apps the IP Reputation App. I was inspired by the trend of various security vendors establishing reputation databases and including them in their products (next generation firewalls, AV’s etc). There is great value in having this information included in the Splunk platform to put machine data in context.

After two years on apps.splunk.com the app has had over 4,000 downloads so there is a lot of demand. The app performs lookups …

» Continue reading

Deploying Splunk Securely with Ansible Config Management – Part 2

automate all the things

In part one we covered generic deployment of Ansible with a static inventory list. This time, we are going to raise the complexity bar a bit and show you how you can use Ansible to deploy the Splunk environment with a dynamic inventory. Keep in mind that not only can you use this for Splunk, but for other deployable server types in your organization.

Dynamic Inventory

What is a dynamic Inventory and When do I use it?

Dynamic inventory, in our case, is when you have a list of servers and server types that are being destroyed and created very fast. A scenario where this might be needed would be in an auto scalable environment like AWS EC2 where you …

» Continue reading

Top 10 Splunk and Cisco Highlights in 2014

Over the past 7 years Cisco and Splunk have built a broad and multi-faceted relationship.

Internally Cisco IT, security, engineering and other teams use Splunk software every day for operational intelligence and security analytics. Cisco shared details at Splunk’s 2014 user conference in a session titled How Cisco IT Moved from Reactive to Proactive and Even Predictive with Splunk” and Cisco’s CSIRT team commented a blog post on Security Logging in an Enterprise … [W]e moved to Splunk from a traditional SIEM as Splunk is designed and engineered for ‘big data’ use cases.”

Splunk & Cisco have partnered across security, networking, application management, IoT, Big Data and other areas to help our joint customers realize the same …

» Continue reading

Splunk App for Salesforce

Do you manage a Salesforce environment and would like to analyze who is accessing what? Would you like to find out who is exporting sensitive data? Would you like to detect any Salesforce related suspicious activities or any slow running reports, dashboards, SOQL queries?

If the answer to the above is yes, you should check out the Splunk App for Salesforce which has been recently released as a service on Splunk Cloud. This App relies on the Salesforce Event Log File that exposes Salesforce access logs. In addition to that, you can also leverage this app to collect and index any data from the standard Salesforce objects. In other words, you can use this app to index structured and unstructured salesforce data.
For …

» Continue reading

Preparing users for phishing attacks with Splunk

Why waste time and energy trying to crack passwords or hack through some obscure and complex vulnerability when there is a much easier way to breach a computer network?

Want a break in? Just ask for an invitation.

Phishing is probably the simplest way to get reliable, authentic access to a target network. By baiting users into visiting a website or downloading code, hackers can persuade them to hand over valuable access to vital data stored in even the most secure environments.

One Splunk customer in the healthcare industry found an ingenious way to fight back. Techniques they developed with Splunk have helped them harden their network against social engineering attacks and better protect patient data. The tactic has been …

» Continue reading

Mitigating the POODLE Attack in Splunk

By now you are probably tired of seeing poodle memes. Fear not! Instead, I will share mitigation techniques on how to protect Splunk against this attack and leave out the memes.

Let me preface the different techniques by adding some context to the exploitability of POODLE: This attack requires that an attacker have MITM (Man In The Middle) access to your communication between the client and Splunk. This is a important point to keep in mind when considering different mitigation techniques and their aggressiveness. I mention this because many of you do not have your Splunk deployment exposed to the internet architecturally, or require VPN access to your corporate network before a client can access Splunk. This reduces the risk …

» Continue reading

Look at all the pretty colors!

Well, it’s Sunday here in Las Vegas, and  .conf2014 is about to go down. I’m sitting in one of our Splunk University classes at the MGM, with many of our fine customers.

The class is our Power User Bootcamp, and we just finished talking about Splunk’s tagging, event types, and lookup functionalities. One of our more security-minded customers asked “hey – that ability to assign a color to event types in the Splunk search GUI is pretty cool – I’d like to use that to prioritize the events I’m looking at based on the risk profile assigned to a user. From a lookup. Can I do that?”

A second customer said “I like that idea.”

So, since this …

» Continue reading

Finding shellshock (CVE-2014-6271, 7169, 7186, 7187) with Splunk forwarders

UPDATE 9/24/14 (evening): I changed the script a little bit to include platform information in the output by using the uname command and bash version information in the output with –version. This should work on Linux and OSX.

UPDATE 9/25/14: The first script below is specific to find the original shellshock: CVE-2014-6271. The second shellshock vulnerability, CVE-2014-7169, requires a different test. See the script later in the post to cover this.

UPDATE 9/26/14: A whole bunch of useful comments have been added to this post. I have added information at the end of the post in response. I have further updated the scripts. Also, I should point out – if you are looking for information about how Splunk products are

» Continue reading

Dude! Did you see that YouTube video?

NOTE: Rather than read this post, you can come see this use case presented live at our upcoming Worldwide User Conference in Las Vegas. My colleague Andrew Gerber from Wipro will be reviewing this and a few other recent use cases we have worked on together.

For the past 14 years (yes, I am old) I have worked out of a home office. This means that during my workdays, I can freely receive YouTube cat video links from my high-school ex-girlfriends, grab some carrot sticks and hummus from the kitchen, and watch as many of them as I care to using my trusty copy of Internet Explorer 6. The reason I can do this? No pesky corporate web proxy monitoring …

» Continue reading

Use Splunk to detect and defeat fraud, theft, and abuse

In case you haven’t heard, an emerging and fast-growing use case for Splunk is using Splunk for anti-fraud, theft, and abuse (which I will just call “fraud”). Many Splunk customers across a wide range of industries Splunk their machine data and log files for a wide range of anti-fraud use cases, including fraud investigations, detection, and analytics/reporting. They also put the event data from other point anti-fraud tools into Splunk and use Splunk to: (1) break down the siloed nature of these point tools to present a more unified view on fraud, and (2) correlate fraud events with other data sources. Splunk’s flexibility enables it to be an anti-fraud solution and/or enhance existing fraud tools.

A few weeks ago, Splunk …

» Continue reading