Creating McAfee ePO Alert and ARF Actions with Add-On Builder

One of the best things about Splunk is the passionate user community. As a group, the community writes amazing Splunk searches, crafts beautiful dashboards, answers thousands of questions, and shares apps and add-ons with the world.

Building high quality add-ons is perhaps one of the more daunting ways to contribute. Since the recently-updated Splunk Add-On Builder 2.0 was released, however, it’s never been easier to build, test, validate and package add-ons for sharing on SplunkBase.

Technical Add-Ons, aka TAs, are specialized Splunk apps that make it easy for Splunk to ingest data, extract and calculate field values, and normalize field names against the Common Information Model (CIM). Since the release of version 6.3, Splunk Enterprise also supports TAs for …

» Continue reading

Cybersecurity Week in Germany – Splunk wins Best SIEM



This week saw lots of activity taking place at IT-SA, the biggest German security event held in Nürnberg.

IT-SA 2016 – The IT Security Expo and Congress

This year was a record year for the conference with over 10,000 visitors and over 490 companies exhibiting.

it-sa2016The Splunk team was there in full force to showcase how we can help organizations utilize the gold hidden in their machine data. While security use cases were top of mind – many visitors wanted to learn how they could re-use their security investment across the company. In the booth theatre Splunk technical experts demonstrated how this works. In addition, we had ForeScout presenting on how it integrates and works together with Splunk. …

» Continue reading

Important information for customers using Splunk Enterprise 6.2 or earlier

Do you use SSL to secure Splunk Enterprise? Are you still using Splunk Enterprise version 6.2 or earlier? If you answered yes to both of these questions, please read on.

Securing communication with your Splunk instance can be essential in today’s digital environment, especially if it is collecting sensitive information. If communication to/from your Splunk instance can be easily intercepted (e.g. public access to SplunkWeb, Forwarders outside firewall) then this communication should be encrypted using SSL. Additionally, security functionality is constantly being enhanced to combat the evolving threat landscape so you should stay on as current a version of Splunk as possible.

You may have heard that the OpenSSL Software Foundation will cease support for OpenSSL version 1.0.1 as …

» Continue reading

Splunk & Cisco Web Security Appliance (WSA) – BFF: „Dear IT-Admin: My Internet is so slow“


I recently met with Tobias Mayer, an engineer from EMEA with Cisco. He has a particular expertise in Websecurity Technology.  The Cisco Munich Data Center has a great Splunk deployment and Tobias works closely with organizations in EMEA to solve their daily problems.

One common claim from End-Users in IT is „Our internet is slow“….and then the troubleshooting begins…  wsa

There are various components within enterprise IT that could be the reason why: „the internet is slow“.

It could be:

  • The Proxy Server is running on max load (CPU, Memory, Concurrent Connections)
  • The network connection from the client to the proxy within the internal network is slow
  • The Active Directory / Authentication Service for the proxy response is slow
» Continue reading

Cyber Defense Day at Deutsche Bahn

Hello Security Ninjas,

DB WelcomeRecently Deutsche Bahn joined forces with our Splunk Germany team and organized the first Cyber Defense Day at Deutsche Bahn. They had about 100 security people attending from within Deutsche Bahn, as well as from other companys in the Frankfurt area to encourage information sharing and networking between different organizations. Sven Grun from DB Systel (part of Deutsche Bahn) opened and moderated the event which was hosted in the Silvertower Skydeck in Frankfurt.


Samuel Ruppert from DB Systel showed in a demo how to hack a vulnerable web application – for example an Info Entertainment System on a train. His takeway for the audience was that security needs to be implemented in each step of the …

» Continue reading

Detecting Ransomware Attacks with Splunk

 A few days ago, a customer asked me if Splunk could be used to detect Ransomware – y’know, the malware that encrypts all of the files on your hard drive and asks you to pay a ransom to get them back.  (If you’ve been trapped under something heavy for the last few years, see here  and here.)

Ransomware has been around for a few years now, and in fact Michael Gough, a local “Malware Archeologist” published a blog post about using Splunk to detect it way back in 2014. So yes, Splunk has been able to detect Ransomware for about as long as its been around.

Michael’s technique relies on enabling File Auditing within the Advanced Auditing features

» Continue reading

Splunk at CyberSecurity IP Expo London – Securing the digital enterprise

This year you can find Splunkers at the Cyber Security Europe event, part of IP Expo, from 5th-6th October in London. Cyber Security and cyber resilliance is on top of mind for everyone at this conference.


The focus in IT security is no longer to just protect your perimeter or systems against malware attacks. As cyber criminals become better organized, the impact of a successful attack can seriously impact your company’s brand, your customers and your intellectual property. Together with the fact that it is now clear that it’s not possible to prevent 100% of breaches, it;s clear that organizations need to change their approach. By moving from pure prevention to add early detection and response capabilities, organizations can gain …

» Continue reading

Use Analytics-Driven Decision Making and Automation to Improve Threat Detection and Operational Efficiency

SCL-Splunk-conf2016-Badge-4_fb-1200x627Today, we announced major advancements to our security analytics portfolio with a new version of Splunk Enterprise Security 4.5 (ES), which introduces significant innovations to Splunk ES.

Enterprise Security (ES) 4.5 includes Adaptive Response, which helps extend security architecture beyond legacy preventative technologies, and events-based monitoring to use connected intelligence for security operations to gain full visibility and responsiveness across the entire security ecosystem. The new release introduces Glass Tables, which expands the visual analytics capabilities of Splunk ES.

Meeting the growing needs of CISOs adopting automation and orchestration

Many Splunk security customers already use automation to eliminate routine tasks in order to accelerate detection and streamline their response times. A recent survey conducted by 451 Research reveals that 57% …

» Continue reading

Introducing Splunk UBA 3.0

SCL-Splunk-conf2016-Badge-5-v2_fb-1200x627Splunk User Behavior Analytics 3.0 (UBA) introduces significant advancements to Splunk UBA and drives Splunk’s Security Analytics to the next level. This is evident with Gartner placing Splunk in the leader’s quadrant and positioning Splunk furthest overall for completeness of vision.

Splunk UBA 3.0 makes an architectural shift by decoupling platform from content, thereby, providing customers with an ability to update detection footprint with zero downtime and without the hassle of upgrading the entire platform. Content includes the following: machine learning models, threat models, anomaly classifications, data sources, and intelligence. The goal for this architectural shift is two-fold – improve operational efficiency and keep up with the ever-changing threat landscape by delivering regular updates.

Model, Models and Lots of Machine

» Continue reading

Trust and Resilience at the Speed of Business – How Travis Perkins built a lean SOC with Splunk in the Cloud


IMG_6261.JPGThis week we attended the Gartner Security & Risk Management Summit in London. IT-Security Managers from across Europe came together to network, exchange information about the latest cyber security strategies and understand Gartner’s perspective on the market.
As every industry continues to focus on digital transformation and move services online, security has become an even greater organizational priority. Organizations that customers trust and are confident in using will be clear winners in the long term. For many organizations IT related risk has become a major part of their corporate risk assessment that the board of directors has to review regularly .


As a result, many organizations have identified the need to build up Security Operations Centers (SOC) or …

» Continue reading