Improving Visibility in Security Operations with Search-Driven Lookups

Looking back on 2016, Splunk Enterprise Security added significant capabilities to its platform for security operations, including Adaptive Response, User & Entity Behavior Analytics (UEBA) integration and Glass Tables.  Another capability that was added, but has received less attention is a new type of search that Splunk calls Search-Driven Lookups.  Because there has not been as much attention put to this, I wanted to share a bit about this capability and how it can be used.

Search-Driven Lookups originated from a question that users of legacy SIEM providers often asked; how can Splunk dynamically create watchlists that can then be used in correlating new events against a watchlist?  Enterprise Security has had the ability to correlate against a …

» Continue reading

Preparing for a successful Enterprise Security PS engagement


Update 2016-10-31: Thank you Doug Brown and Hal Rottenberg for collaborating over the weekend to clarify this post! -eric grant, Community Manager, Splunk Community

Update 2016-10-28: There have been a number of questions from readers about the specs recommended in this post. Splunk is working with the author to clarify the numbers, and stands by the author’s right to make performance recommendations, based on his experience, that differ from our official requirements. -eric grant, Community Manager, Splunk Community

(Hi all–welcome to the latest installment in the series of technical blog posts from members of the SplunkTrust, our Community MVP program. We’re very proud to have such a fantastic group of community MVPs, and are excited to share what we learn

» Continue reading

Creating McAfee ePO Alert and ARF Actions with Add-On Builder

One of the best things about Splunk is the passionate user community. As a group, the community writes amazing Splunk searches, crafts beautiful dashboards, answers thousands of questions, and shares apps and add-ons with the world.

Building high quality add-ons is perhaps one of the more daunting ways to contribute. Since the recently-updated Splunk Add-On Builder 2.0 was released, however, it’s never been easier to build, test, validate and package add-ons for sharing on SplunkBase.

Technical Add-Ons, aka TAs, are specialized Splunk apps that make it easy for Splunk to ingest data, extract and calculate field values, and normalize field names against the Common Information Model (CIM). Since the release of version 6.3, Splunk Enterprise also supports TAs for …

» Continue reading

Use Analytics-Driven Decision Making and Automation to Improve Threat Detection and Operational Efficiency

SCL-Splunk-conf2016-Badge-4_fb-1200x627Today, we announced major advancements to our security analytics portfolio with a new version of Splunk Enterprise Security 4.5 (ES), which introduces significant innovations to Splunk ES.

Enterprise Security (ES) 4.5 includes Adaptive Response, which helps extend security architecture beyond legacy preventative technologies, and events-based monitoring to use connected intelligence for security operations to gain full visibility and responsiveness across the entire security ecosystem. The new release introduces Glass Tables, which expands the visual analytics capabilities of Splunk ES.

Meeting the growing needs of CISOs adopting automation and orchestration

Many Splunk security customers already use automation to eliminate routine tasks in order to accelerate detection and streamline their response times. A recent survey conducted by 451 Research reveals that 57% …

» Continue reading

#splunkconf16 preview: Automation, Machine Learning, Incident Response and Hunting are dominant themes for .conf2016

SCL-Splunk-conf2016-preview-BigDataIdeas_twtr1-440x220It is that special time of the year for the Security Markets team at Splunk as we are few weeks away from .conf2016, Splunk’s annual user conference!

The security track has over 40 learning sessions and numerous hands-on activities.

It will be an incredible four days to interact with our passionate users, CISOs, CIOs, business leaders and learn about the innovative ways in which Splunk users solve their security needs.

You will hear how Splunk customers such as Accenture, Bloomberg, CAA, Aflac, Workday, CERT-EU, MITRE, Sony, Capital Group, Bechtel, Republic Services and more use Splunk to solve their security needs.

This year, we have more than twenty customer led security sessions where you can learn how our customers use …

» Continue reading

Groupon Standardizes on Splunk Solutions

SM_Share_Twitter_Groupon_102Whether it’s a tempting all-inclusive vacation package or taking advantage of an amazing deal on dinner for two, Groupon’s exciting offers continue to push me to discover new things. The global online and mobile marketplace has been one of our valued customers here at Splunk for five years, and we like to think that during that time we’ve helped Groupon discover a few things as well.

Like many of our retail and e-commerce customers, Groupon relies on the Splunk platform to gain insight into massive amounts of machine data. Now, Groupon has agreed to a multi-year Enterprise Adoption Agreement (EAA) for Splunk Enterprise and Splunk Enterprise Security (ES) that will enable it to gain Operational Intelligence across multiple teams …

» Continue reading

Developing Correlation Searches Using Guided Search

Guided Search was released in Splunk Enterprise Security 3.1, nearly two years ago, but is often an overlooked feature. In reality, it is an excellent tool for streamlining the development of correlation searches. The goal of this blog is to provide a better understanding of how this capability can be used to create correlation searches above and beyond what Enterprise Security has to meet your unique security requirements.

So what is Guided Search?

It’s a “wizard”-like process to gather the key attributes that make up a correlation search. Essentially, there are five elements to Guided Search:

  • Identify the data set to search
  • Apply a time boundary
  • Filter the data set (optional)
  • Apply statistics (optional)
  • Establish thresholds (optional)

Along the way, …

» Continue reading

Rapid Response and Discovery (RRD) – Stop chasing alerts and start raising the cost for the adversary

In this discussion we will learn why RRD is an absolute necessity. We will establish the core capabilities required for RRD. Then we will walk through how ES 4.0 delivers on the capabilities for RRD. Finally, we’ll show how we can extend RRD and add our own flavor using the existing capability in Splunk Enterprise and ES 4.0.

State of Affairs for Cyber Operations

Cyber operations teams receive far more alerts than they can handle. Once they receive an alert, analysts spend a lot of time manually connecting the dots. As a result, alerts drive the cyber posture for an organization. And cyber operations teams are stuck in a never-ending loop of chasing individual incidents. As a result, operations teams …

» Continue reading

Improve Your Ability to Detect, Scope and Respond to Advanced Attacks with Splunk ES 4.0

Screen Shot 2015-10-27 at 9.34.40 AMFor as long as I’ve been in security, vendors have talked about the “emerging threat landscape” and warned organizations not to be passive or to settle for “good enough” security. Never in my career have those words been truer than they are today. In fact, today’s threats are so different than those of the past that security professionals are now required to approach investigations in a radically different way.

Today’s threats are dynamic in nature, often comprising a series of activities over a long period of time. This makes them difficult to investigate, requiring the analyst to be equally as dynamic in his or her activities to fully scope the infection. It’s also rare these days that a threat only …

» Continue reading

Duqu 2.0 – The cyber war continues on a new level

Hello Security-Ninjas,

recently i blogged already how important it is to apply today’s threat intelligence information to historical data. I gave the example the Duqu malware, which contained a self destroy capability to remain hidden. It seems the hiding strategy has evolved to a new level…

What has happen?

pirate_looking_spyglass_800_clr_10516Today (10th June) Kaspersky Labs announced that they have been attacked by a new version of Duqu. At the time of writing it has been imaginatively named Duqu 2.0. It’s a very sophisticated piece of cyber-espionage malware and speculation is that it was a nation-state behind the attack with an estimated cost to creation the malware of around $50 million. The entire malware platform relies heavily on zero-day vulnerabilities to jump into systems and from …

» Continue reading