Using Watchlists to Your Advantage
The Splunk App for Enterprise Security comes with correlation searches that generate notable events. The correlation search for Watchlisted Event Observed is a great template for generating notable events for specific watch lists. You can setup watchlist tags to generate notable events from specific security concerns, such as a missing laptop or suspicious domains.
The correlation search for Watchlisted Event Observed is:
tag=watchlist NOT sourcetype=stash | `get_event_id` | `map_notable_fields`
Make your operations security staff happy and use this correlation search as a template to create other correlation searches for specific watchlists. These new watchlists for other notable events have more context as a result.
To do this, disable the Watchlisted Event Observed correlation search if you have it enabled (it’s …
Introducing: The Splunk App for Okta
I alluded to this last week in my post about Okta-ing Splunk–we’re now Splunking Okta! Today, the Splunk App for Okta went live on Splunk Apps and we’ve already gained value from looking at how our Splunkers are logging into apps.…
Splunk SSO using SAML through Okta
Protip: reading to the end will yield a sneak peek of a new, upcoming Splunk app!
Almost 10 months ago, Splunk chose Okta as its federated identity management and single sign-on (SSO) vendor. There were several benefits from this project including multifactor authentication (MFA) for our business applications and VPN, user experience enhancements by not requiring Splunkers to remember multiple passwords, and instant deprovisioning once an Active Directory account was terminated.
As part of our ongoing efforts to make Splunk’s instance of Splunk (affectionately dubbed “Splunk(x)”) more valuable to the business, we made the decision to provision multiple, purpose-built search heads. We have a search head that serves as a primary point-of-entry, a search head for our Enterprise …
“Best of SIEM” 2013 award from the readers of TechTarget
It’s a great time to be doing product marketing for security here at Splunk. Especially because the security awards & accolades keep on coming Just last week we won the “Best of SIEM” 2013 award by the readers of TechTarget’s Information Security magazine and SearchSecurity.com. These awards are especially meaningful because it is you, our customers, who vote on them. You use our software for a wide range of security use cases, get tremendous value out of it, and this is reflected in our Gold award. Thank you!
See the full award here. Some great snippets from the write-up include: “Splunk’s flagship SIEM system, a security tool for machine-generated big data, received top scores across the board.”…….“Splunk indexes ACSII …
I sometimes get asked if Spunk can detect fraud. The answer is yes, but the question is broad and needs an understanding of the situation that needs to be detected before making a generalization. Fraud here means using deceptive techniques for gains, which for the most part may be illegal. The two textbook ways to detect fraud usually involve pattern matching or statistical anomalies (or a combination of each).
Let me describe a real-life fraud detector. A few years ago, I used to work for an enterprise software company that used Mantas (which has since been acquired by Oracle) as a partner to detect money laundering activity. The software would load financial systems data into a database and run algorithms …
Splunk in Healthcare
Healthcare is a prominent topic in the U.S. today. New and existing government regulations and legislation are onerous and forcing dramatic changes in Healthcare IT. These changes involve increasing use of technology in an effort to ultimately improve care and reduce cost. There are incentives associated with these programs to offset the costs of new technology, if implemented and used in meaningful ways to meet the goals. It essentially requires creating an infrastructure that provides the right information to the right person at the right time across the continuum of care.
These needs create a double-edged sword. Expanding technology complexity for effective data availability, both inside and outside of the organization, will introduce more points of vulnerability. This can lead …
Splunk + Hadoop = Security
Splunk recently announced the beta release of Hunk: Splunk Analytics for Hadoop. As a security practitioner, this new product has some exciting implications.
For some time, security practitioners have desired to store large volumes of data, in case it would ever be needed for incident response, (anti-) fraud investigations or other uses. In an ideal world, you’d have six months to a year’s worth of data stored for investigations, however the realities of SAN costs only make it realistic to have maybe 30 days worth of data stored.
With the arrival of Hadoop several years ago, there was finally a cost effective option for storing large volumes of data on commodity hardware. The only issue is that Hadoop is primarily …
SplunkLive! DC: Helping Government Make Sense of Machine Data
There are a select number of U.S. cities dominated by certain industries that ultimately help to define those cities. Detroit for cars, Nashville for country music, Pittsburgh for the Steelers and Primanti Brothers – and Washington, DC for government.
Considering there isn’t a single organization or entity in the world with more data than the U.S. government, Washington, DC has been home to annual SplunkLive! events for the past five years. Yesterday, we hosted our largest yet with nearly 750 attendees.
Our Chairman and CEO Godfrey Sullivan kicked off the event with an overview of Splunk’s capabilities in private and public sectors, touching on key points like the importance of machine data for verifying accuracy and how continuous monitoring is imperative …
Splunk Named a Leader in Gartner Magic Quadrant for SIEM
Last week, Splunk was named a leader in Gartner’s Magic Quadrant for Security Information and Event Management (SIEM). For the MQ, Gartner evaluated Splunk® Enterprise and the Splunk App for Enterprise Security and also spoke to multiple Splunk customers as part of the process. To read the Gartner report, please register here
We are very proud of this award, as it reflects the success that you, the security and compliance customers of Splunk, have had with our product. We are now up to over 2000 global security and compliance customers using for a wide range of use cases including, incident investigations, forensics, reporting and dashboarding, real-time correlations and alerting, advanced threat detection, compliance reporting, fraud detection, and more.
The history …
Last year, I created an app template to detect whether your users went to a phishing web site where you would supply the app the sourcetype name of your proxy logs and the URL destination field where they went. You can still download this Phishing app template from Splunkbase. In the same manner, I have created an app template called SQL Injection Search that you can download from Splunkbase.
Install the app and provide either of the two form search dashboards the name of your sourcetype representing your web logs (e.g., access_combined) and the name of the field in the sourcetype that represents the URI query string (e.g., uri_query). One form search uses patterns to detect if possible SQL …