This one comes from a recent tweet: The code is available below and is pretty straightforward (based on _internal). Let me know if there’s any issue when deploying/testing in your environment. I haven’t seen any ES dashboard providing such metrics yet, perhaps something to suggest the Product team? Some community-driven ideas are collected here (requires…
Writing Splunk Enterprise Security Correlation Searches – Best Practices
This is an attempt to contribute back to the Splunk community with some simple, yet powerful ideas to help users and customers write more effective SPL detection code. Splunk Enterprise Security (ES) App includes multiple Correlation Searches (rules, detections), but one hardly deploys them without some fine-tuning (customization). This is particularly helpful for those continuously…
SPL Nuggets: How are my rules performing?
There’s so much we can do in regards to Quality Assurance (QA) in a detection engineering practice, where to start? I’m sharing one of the first queries I usually leverage for gauging quick correlation searches (rules) stats in a Splunk ES environment. Alerts, Alerts everywhere! Metrics is a very controversial topic (Moneyball, anyone?), mostly because…
How rare is a rare HTTP agent? Context-rich alerts because of math
Known unknowns? This time I start with another cyber cliché: There are known knowns. There are things we know we know. We also know there are known unknowns. That is to say, we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t…
Should I date a model? Myths busted!
Alright, if you’ve arrived here to know my opinion about beautiful people, sorry for the title, this is not for you, I am of course referring to Splunk data models (DM). As a Splunk content engineer, sometimes having to deal with and solve DM related issues before prototyping another detection, this is a topic that…
Splunking BOTS V3: Q212, Q214, Q300
If you landed here without reading the first blog post of the series, perhaps it’s a good idea to check it out before proceeding, otherwise, happy reading! Next question, please! Using Splunk’s event order functions, what is the first seen signature ID of the coin miner threat according to Frothly’s Symantec Endpoint Protection (SEP) data? Q212,…
SPL Nuggets: Visualizing RDP/TS Connections from Eventlogs
In case you haven’t checked the previous article from the series, this is another easy to replicate SPL query that generates great value while keeping the code quite simple. Who does not like simple solutions to somewhat big problems? Problem Statement How to visually represent Remote Desktop (RDP) or Terminal Server connections within my network?…
Splunking BOTS v3: What Frothly VPN user generated the most traffic? Q330
If you landed here without reading the first blog post of the series, perhaps it’s a good idea to check it out before proceeding, otherwise, happy reading! Next question, please! What Frothly VPN user generated the most traffic? Answer guidance: Provide the VPN user name. BOTSv3 question #330, 1000 points Now it’s a good time…
Splunking questions from BOTS v3 dataset – Q215
The idea is pretty simple: let’s pick a few questions from the SOC BOTS v3 dataset and try to find the answers by leveraging plain SPL to find the answers. To make it easier to read, one question at a time. If you are not familiar with BOTS game, go ahead and click here before…
JIRA workflow for Detection Engineering teams
Threat Detection Engineering practice seems to be evolving. Not only because of easier log management methods and platforms, but because attackers will easily adapt to OOB security, evading detection and achieving their goals. Nevertheless access to all this data is only the start. The challenge for Blue Teamers keeps increasing as log availability and other…
Opstune.com 