I’ve had the chance to work with many great security teams during my career and in 2012, I had the opportunity to join Verizon’s SOC in Germany. That was a very challenging experience considering its massive scale SecOps. It was also by that time when I realized Splunk could be used as a sort of…
SPL Nuggets: Know your admins – from eventlogs!
In case your threat hunters are idling around, here’s the first post from the “SPL Nuggets” series to the rescue! Without further explaining why it is extremely important to track user accounts in your environment, let’s start “Siri” style: Splunk, give me all potential local admin accounts you can see based on ingested eventlogs! For…
SIEM use cases development workflow – Agile all the things!
If you are into Splunk rules development, I am pretty sure this post will relate to you. But before entering the main topic, let me quickly define what a SIEM use case is about, which is another trendy, hot topic in the Infosec industry today. What is a SIEM use case after all? For answering…
It’s about time to change your correlation searches timing settings
I wrote about the problem of delayed events in a previous post, so here the focus is on how to overcome that problem when writing a rule or a correlation search (CS). What’s the problem? Most if not all App/TA developers extract _time from the log generation time. And that’s the best practice since we…
Mapping SDLC to security use cases development process
So now you have the budget for buying nice tools and hiring bright minds. Getting Splunk deployed and data flowing in will soon be past. What’s next then? How to benefit from this investment? Enter Use Cases Development. It takes a great deal of time until a use case can be fully leveraged. But before…
SIEM tricks: dealing with delayed events in Splunk
So after bugging the entire IT department and interrogating as many business teams as possible to grant you (the security guy) access to their data, you are finally in the process of developing your dreamed use cases. Lucky you! Most SIEM projects already fall apart before reaching that stage. Please take the time to read…
Splunk/ES: dynamic drilldown searches
One of the advantages of Splunk is the possibility to customize pretty much anything in terms of UI/Workflow. Below is one example on how to make dynamic drilldown searches based on the output of aggregated results (post-stats). Even though Enterprise Security (ES) comes with built-in correlation searches (rules), some mature/eager users leverage Splunk’s development appeal…
Honing in on the Homeless – the Splunkish way
Have you noticed Splunk just released a new version, including new data visualizations? I had been eager to start playing with one of the new charts when yesterday I came across a blog post by Bob Rudis, who is co-author of the Data-Driven Security Book and former member of the Verizon’s DBIR team. In that…
Blame it on YOU for the damn false-positives!
Below is a list of 6 facts (and counting) you should know before whining and complaining around the infamous false-positive (FP) topic. If you’ve been there, feel free to comment and share your pain or your own facts. As you know, the FPs are everywhere and multiplying just like Gremlins after a shower! [Misled Millennials, click…
Splunkers on Twitter
Below is a list of Splunk users I am following on Twitter, including Splunkers, partners and awesome users. Most of them are also into #Infosec. The list is not sorted in any particular order. Missing someone, maybe you?! Please feel free to contact me for adding more. In case you want to follow a list,…
Opstune.com 