Creating McAfee ePO Alert and ARF Actions with Add-On Builder

One of the best things about Splunk is the passionate user community. As a group, the community writes amazing Splunk searches, crafts beautiful dashboards, answers thousands of questions, and shares apps and add-ons with the world.

Building high quality add-ons is perhaps one of the more daunting ways to contribute. Since the recently-updated Splunk Add-On Builder 2.0 was released, however, it’s never been easier to build, test, validate and package add-ons for sharing on SplunkBase.

Technical Add-Ons, aka TAs, are specialized Splunk apps that make it easy for Splunk to ingest data, extract and calculate field values, and normalize field names against the Common Information Model (CIM). Since the release of version 6.3, Splunk Enterprise also supports TAs for …

» Continue reading

Cybersecurity Week in Germany – Splunk wins Best SIEM



This week saw lots of activity taking place at IT-SA, the biggest German security event held in Nürnberg.

IT-SA 2016 – The IT Security Expo and Congress

This year was a record year for the conference with over 10,000 visitors and over 490 companies exhibiting.

it-sa2016The Splunk team was there in full force to showcase how we can help organizations utilize the gold hidden in their machine data. While security use cases were top of mind – many visitors wanted to learn how they could re-use their security investment across the company. In the booth theatre Splunk technical experts demonstrated how this works. In addition, we had ForeScout presenting on how it integrates and works together with Splunk. …

» Continue reading

Splunk & Cisco Web Security Appliance (WSA) – BFF: „Dear IT-Admin: My Internet is so slow“


I recently met with Tobias Mayer, an engineer from EMEA with Cisco. He has a particular expertise in Websecurity Technology.  The Cisco Munich Data Center has a great Splunk deployment and Tobias works closely with organizations in EMEA to solve their daily problems.

One common claim from End-Users in IT is „Our internet is slow“….and then the troubleshooting begins…  wsa

There are various components within enterprise IT that could be the reason why: „the internet is slow“.

It could be:

  • The Proxy Server is running on max load (CPU, Memory, Concurrent Connections)
  • The network connection from the client to the proxy within the internal network is slow
  • The Active Directory / Authentication Service for the proxy response is slow
» Continue reading

Building add-ons just got 2.0 times easier

Are you trying to build ES Adaptive Response actions or alert actions and need some help? Are you trying to validate your add-on to see if it is ready to submit for certification? Are you grappling with your add-on setup page and building credential encryptions? If you are, check out Splunk Add-on Builder 2.0.

Below is a brief overview of what’s new in Add-on Builder 2.0:

  • You can now leverage the easy-to-use, step-by-step workflow in Add-on Builder to create alert actions and ES adaptive response actions. No need to deal with .conf files and Python, let the tool do the work for you.



  • The validation process has been enhanced to include App Certification readiness. This validation process can also be performed on apps and add-ons
» Continue reading

Analyzing the Mirai Botnet with Splunk

On September 20th, the largest Distributed Denial of Service attack ever recorded targeted security researcher Brian Krebs. This attack was made up of Internet of Things (IoT) devices such as cameras, wireless controllers and internet enabled devices peaking at 400,000 total. Now dubbed the “Mirai botnet”, these devices scanned the internet for devices running telnet and SSH with default credentials, infecting them and further propagating. The source code for the botnet has since leaked to GitHub, where further analysis is underway by security researchers.

During the infection time period, I happened to be running a honeypot and captured some infection attempts on my own system. Using Suricata and /var/log/secure.log I can correlate invalid login attempts associated with Mirai with malicious …

» Continue reading

Detecting Ransomware Attacks with Splunk

 A few days ago, a customer asked me if Splunk could be used to detect Ransomware – y’know, the malware that encrypts all of the files on your hard drive and asks you to pay a ransom to get them back.  (If you’ve been trapped under something heavy for the last few years, see here  and here.)

Ransomware has been around for a few years now, and in fact Michael Gough, a local “Malware Archeologist” published a blog post about using Splunk to detect it way back in 2014. So yes, Splunk has been able to detect Ransomware for about as long as its been around.

Michael’s technique relies on enabling File Auditing within the Advanced Auditing features

» Continue reading

Splunk at CyberSecurity IP Expo London – Securing the digital enterprise

This year you can find Splunkers at the Cyber Security Europe event, part of IP Expo, from 5th-6th October in London. Cyber Security and cyber resilliance is on top of mind for everyone at this conference.


The focus in IT security is no longer to just protect your perimeter or systems against malware attacks. As cyber criminals become better organized, the impact of a successful attack can seriously impact your company’s brand, your customers and your intellectual property. Together with the fact that it is now clear that it’s not possible to prevent 100% of breaches, it;s clear that organizations need to change their approach. By moving from pure prevention to add early detection and response capabilities, organizations can gain …

» Continue reading

Adaptive Response: Beyond Analytics-Driven Security


Now that .conf2016 is in full swing, I’m excited to discuss one of my favorite topics – the Splunk-led Adaptive Response Initiative, which we first announced at the RSA Conference earlier this year. We made a big splash with a strong group of 8 founding participants representing key security technologies like Network Firewall, Endpoint Detection and Response, Privileged User Management, Threat Intelligence, and Incident Response. We are thrilled by the support from Splunk customers and strategic partners as we continue to enable organizations to operate multi-vendor adaptive security architectures and bring life to our vision for a security nerve center.

So here we are in Orlando, and I’m happy to share our latest Adaptive Response milestones:

  1. We have extended Adaptive Response controls into Splunk Enterprise Security 4.5 (ES)
  2. Vendor
» Continue reading

Use Analytics-Driven Decision Making and Automation to Improve Threat Detection and Operational Efficiency

SCL-Splunk-conf2016-Badge-4_fb-1200x627Today, we announced major advancements to our security analytics portfolio with a new version of Splunk Enterprise Security 4.5 (ES), which introduces significant innovations to Splunk ES.

Enterprise Security (ES) 4.5 includes Adaptive Response, which helps extend security architecture beyond legacy preventative technologies, and events-based monitoring to use connected intelligence for security operations to gain full visibility and responsiveness across the entire security ecosystem. The new release introduces Glass Tables, which expands the visual analytics capabilities of Splunk ES.

Meeting the growing needs of CISOs adopting automation and orchestration

Many Splunk security customers already use automation to eliminate routine tasks in order to accelerate detection and streamline their response times. A recent survey conducted by 451 Research reveals that 57% …

» Continue reading

Introducing Splunk UBA 3.0

SCL-Splunk-conf2016-Badge-5-v2_fb-1200x627Splunk User Behavior Analytics 3.0 (UBA) introduces significant advancements to Splunk UBA and drives Splunk’s Security Analytics to the next level. This is evident with Gartner placing Splunk in the leader’s quadrant and positioning Splunk furthest overall for completeness of vision.

Splunk UBA 3.0 makes an architectural shift by decoupling platform from content, thereby, providing customers with an ability to update detection footprint with zero downtime and without the hassle of upgrading the entire platform. Content includes the following: machine learning models, threat models, anomaly classifications, data sources, and intelligence. The goal for this architectural shift is two-fold – improve operational efficiency and keep up with the ever-changing threat landscape by delivering regular updates.

Model, Models and Lots of Machine

» Continue reading