Improving Visibility in Security Operations with Search-Driven Lookups
Looking back on 2016, Splunk Enterprise Security added significant capabilities to its platform for security operations, including Adaptive Response, User & Entity Behavior Analytics (UEBA) integration and Glass Tables. Another capability that was added, but has received less attention is a new type of search that Splunk calls Search-Driven Lookups. Because there has not been as much attention put to this, I wanted to share a bit about this capability and how it can be used.
Search-Driven Lookups originated from a question that users of legacy SIEM providers often asked; how can Splunk dynamically create watchlists that can then be used in correlating new events against a watchlist? Enterprise Security has had the ability to correlate against a …
Lookups: Not Just for Enriching Data
This is a guest post contributed by Luke Netto, Security Engineer, Level 3 Communications
Lookups are a great way to enrich events with more meaningful data, however they are a very costly operation to search events using the enhanced fields.
While working on a recent project as a security engineer at Level 3 Communications, I found a much more efficient way to search these new fields. This trick works with any lookups that can be used as a reverse lookup. In the example below I allow users to search logs containing integer-formatted IP addresses using dot-decimal notation without performing a lookup on each event.
In order to search for 220.127.116.11 in this dataset in the most efficient way possible you …
Maintaining State of the Union
Well, it’s almost that time of year again already – the State of the Union address is scheduled for January 25th, 2011.
- Things are getting better :]
- There are still many challenges to overcome :[
- Inspirational story 1, with subject of said story in attendance to the left of Mrs. President ;_;
- Inspirational story 2, with subject of said story in attendance to the right of Mrs. President ;_;
- Wrap it up, B(arack) [comedycentral.com] :&
However, I would actually like to discuss a different kind of “state” – one that is more directly related to Splunk’s built-in capabilities (though I haven’t given up on my ‘Anti-unemployment’ or ‘Budget …