Detecting Vulnerable and Compromised Certificate Use/Abuse with Splunk Enterprise Security and Stream

Recently, we have received a number of questions about compromised SSL certificates. One of the challenges this problem presents for analysts is how to gain insight into what these compromised SSL certificates are transporting and with whom are they communicating.

If you were to encounter this situation, you might find yourself being asked the following questions:

  • How would you identify which assets in your organization are affected?
  • How could you arrive at a strategy to prioritize what to remediate first?
  • How do we start looking for these certificates being used in communication across our networks and systems?

Detecting and Remediating

For users of Splunk, many of you know that the Splunk App for Stream can capture wire data. Stream can …

» Continue reading

Wait, what – a youtube video for my app!?

At Splunkbase we are constantly striving to improve the experience for our users – whether it’s the app-discovery process for a Splunk admin/user, or the app-submission and management experience for our developers. We’ve been busy making changes over the last few months, and I thought this would be a good time to cover some of the more important changes we’ve made recently.

There was a lot of backend engineering work done to spruce up the infrastructure, the API, and search results relevancy – changes that are not always apparent to an end-user of Splunkbase. However, in this post I will talk about some user-facing features we recently added with the goal of improving the experience for our developer community. These features will allow you to …

» Continue reading

Smart AnSwerS #44

Hey there community and welcome to the 44th installment of Smart AnSwerS.

Have you been looking for an opportunity to expand your Splunk search fu? Look no further! As mentioned in a previous Smart AnSwerS post, come join 60+ RSVP’d users (and counting!) this Monday, November 23rd, 2015 @ 11:00AM PST in attending the SplunkTrust Virtual .conf Session #2. The presenter, Kyle Smith, will be covering his popular .conf2014 session “Lesser-known Search Commands”. Be sure to visit the Meetup page to RSVP, find the URL to the WebEx session, and come learn a thing or two with the rest of us next week :)

Check out this week’s featured Splunk Answers posts:

Is there a posted percentage

» Continue reading

Monitor your own Smart Home – three top tips from Splunk

Hi all,

One of the great thingIMG_4812s at Splunk is that there are so many devices you can collect data from and make something meaningful out of. We often hear from our (very smart) customers that they are figuring out cool use cases – but we also hire new data geeks like Udo Götzen from the EMEA Technical Services Team, too. He joined Splunk a few weeks ago with a deep security background and has already started to Splunk his postbox (mailbox for the American readers) and the rest of his smart home.

1. Yes you heard right – his postbox!

Sensor in the postbox

infrared sensor built into the postbox

How does it work? He has built an infrared photo sensor into the postbox that gets …

» Continue reading

Smart AnSwerS #43

Hey there community and welcome to the 43rd installment of Smart AnSwerS.

It’s been a pretty long week, but what better way to take a break for a change of pace with a party! I just got a reminder email that Splunk HQ is celebrating Diwali this afternoon, a Hindu festival of lights celebrated in the Fall every year. The courtyard will apparently be full of food, mehndi, and a talent show, oh my! Time to give my eyes a break from this monitor for a bit.

Check out this week’s featured Splunk Answers posts:

How to get a table cell color to change depending on the field value?

fredkaiser did some hunting around Answers, but couldn’t quite …

» Continue reading

The Hitchhikers’ Guide to Splunk for less than $3 per day

dont-panicUp until now it has been possible to hitchhike around the universe “for less than 30 Altairian dollars a day” but you could never Splunk for anything close to that (even at today’s rather favorable Altairian dollar/US dollar exchange rate) and that has proved, for many in small IT environments, to be a challenge.

You really want to use Splunk to understand and optimize your IT operations but you work in a small IT environment. What do I mean by small? Well first you have like no money to spend on log management (let’s say less than $100 per month) not to mention you have a small staff (let’s say, uhm, you and, in your wildest dreams, four other …

» Continue reading

Smart AnSwerS #42

Hey there community and welcome to the 42nd installment of Smart AnSwerS.

Last week, we had our very first SplunkTrust Virtual .conf Session, the beginning of a series of live online talks via WebEx to give users access to the best technical content presented every year at the Splunk Worldwide User Conference, .conf. Our first presenter was SplunkTrust member Martin Mueller who covered his .conf2015 session “Optimizing Splunk Knowledge Objects –  A Tale of Unintended Consequences”, followed by Q&A. We had an amazing turnout of 100+ users from different timezones around the world. Our next session #2 will be on Monday, November 23rd, 2015 @ 11:00AM PST, presented by alacercogitatus on his .conf2014 session “Lesser-known …

» Continue reading

Smart AnSwerS #41

Hey there community and welcome to the 41st installment of Smart AnSwerS.

There have been a lot of questions on Answers throughout the years asking for a way to add comments to searches such as this 3 year old post with almost 16,000 views. The Answer by steveyz just below the accepted one is the latest development that many of you will be happy to learn about if you haven’t already seen it on this page. Splunk technical writer lstewart updated the documentation to share and publicize this solution: configuring and using a search macro to add comments to search strings with no performance or resource impact. *applause!*

Check out this week’s featured Splunk Answers posts:


» Continue reading

Data Integrity is back, baby!

I’m sitting in my living room near Boulder, and watching the Republican Presidential Debate happening right down the road at the University of Colorado. Each candidate is doing their best to portray themselves as a candidate with integrity that’s ready to lead our country into the future. But this far into the debate, the responses are getting pretty repetitive…

So it’s a perfect time to check out something with some real integrity – the new Data Integrity feature added to Splunk 6.3, now generally available from Splunk. This allows you to prove that your indexed data has not been tampered with after indexing. Some historical background…we used to have two features that were similar, one called Block Signing

» Continue reading

Send JSON objects to HTTP Event Collector using our .NET Logging Library

Recently we shipped a bunch of logging libraries at the same time our new HTTP Event Collector hit the streets:

One of the questions I’ve heard from customers using the libraries, is “Can I send JSON objects with the .NET logging library?

Yes, you can. To do it, you need to use our Splunk.Logging.Common library which our other loggers depend on. Interfaces like TraceListener were designed for sending strings not objects.

For example TraceSource has a TraceData method which accepts objects and which it appears should work. However (at least based on my testin)g the objects are serialized to strings and then passed on as such to the listeners. Thus by the time we get it we …

» Continue reading