Improving Visibility in Security Operations with Search-Driven Lookups

Looking back on 2016, Splunk Enterprise Security added significant capabilities to its platform for security operations, including Adaptive Response, User & Entity Behavior Analytics (UEBA) integration and Glass Tables.  Another capability that was added, but has received less attention is a new type of search that Splunk calls Search-Driven Lookups.  Because there has not been as much attention put to this, I wanted to share a bit about this capability and how it can be used.

Search-Driven Lookups originated from a question that users of legacy SIEM providers often asked; how can Splunk dynamically create watchlists that can then be used in correlating new events against a watchlist?  Enterprise Security has had the ability to correlate against a …

» Continue reading

Lookups: Not Just for Enriching Data

This is a guest post contributed by Luke Netto, Security Engineer, Level 3 Communications

Lookups are a great way to enrich events with more meaningful data, however they are a very costly operation to search events using the enhanced fields.

While working on a recent project as a security engineer at Level 3 Communications, I found a much more efficient way to search these new fields. This trick works with any lookups that can be used as a reverse lookup. In the example below I allow users to search logs containing integer-formatted IP addresses using dot-decimal notation without performing a lookup on each event.

In order to search for in this dataset in the most efficient way possible you …

» Continue reading

Maintaining State of the Union

Fellow Splunkers,

Well, it’s almost that time of year again already – the State of the Union address is scheduled for January 25th, 2011.

My predictions for the speech are as follows:

  • Things are getting better  :]
  • There are still many challenges to overcome  :[
  • Inspirational story 1, with subject of said story in attendance to the left of Mrs. President  ;_;
  • Inspirational story 2, with subject of said story in attendance to the right of Mrs. President  ;_;
  • Wrap it up, B(arack) [] :&

However, I would actually like to discuss a different kind of “state” – one that is more directly related to Splunk’s built-in capabilities (though I haven’t given up on my ‘Anti-unemployment’ or ‘Budget …

» Continue reading