Known unknowns? This time I start with another cyber cliché: There are known knowns. There are things we know we know. We also know there are known unknowns. That is to say, we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t…
Category: Analytics
Splunking BOTS V3: Q212, Q214, Q300
If you landed here without reading the first blog post of the series, perhaps it’s a good idea to check it out before proceeding, otherwise, happy reading! Next question, please! Using Splunk’s event order functions, what is the first seen signature ID of the coin miner threat according to Frothly’s Symantec Endpoint Protection (SEP) data? Q212,…
SPL Nuggets: Visualizing RDP/TS Connections from Eventlogs
In case you haven’t checked the previous article from the series, this is another easy to replicate SPL query that generates great value while keeping the code quite simple. Who does not like simple solutions to somewhat big problems? Problem Statement How to visually represent Remote Desktop (RDP) or Terminal Server connections within my network?…
Splunking BOTS v3: What Frothly VPN user generated the most traffic? Q330
If you landed here without reading the first blog post of the series, perhaps it’s a good idea to check it out before proceeding, otherwise, happy reading! Next question, please! What Frothly VPN user generated the most traffic? Answer guidance: Provide the VPN user name. BOTSv3 question #330, 1000 points Now it’s a good time…
Splunking questions from BOTS v3 dataset – Q215
The idea is pretty simple: let’s pick a few questions from the SOC BOTS v3 dataset and try to find the answers by leveraging plain SPL to find the answers. To make it easier to read, one question at a time. If you are not familiar with BOTS game, go ahead and click here before…
JIRA workflow for Detection Engineering teams
Threat Detection Engineering practice seems to be evolving. Not only because of easier log management methods and platforms, but because attackers will easily adapt to OOB security, evading detection and achieving their goals. Nevertheless access to all this data is only the start. The challenge for Blue Teamers keeps increasing as log availability and other…
SPL Nuggets: Know your admins – from eventlogs!
In case your threat hunters are idling around, here’s the first post from the “SPL Nuggets” series to the rescue! Without further explaining why it is extremely important to track user accounts in your environment, let’s start “Siri” style: Splunk, give me all potential local admin accounts you can see based on ingested eventlogs! For…
SIEM use cases development workflow – Agile all the things!
If you are into Splunk rules development, I am pretty sure this post will relate to you. But before entering the main topic, let me quickly define what a SIEM use case is about, which is another trendy, hot topic in the Infosec industry today. What is a SIEM use case after all? For answering…
It’s about time to change your correlation searches timing settings
I wrote about the problem of delayed events in a previous post, so here the focus is on how to overcome that problem when writing a rule or a correlation search (CS). What’s the problem? Most if not all App/TA developers extract _time from the log generation time. And that’s the best practice since we…
Mapping SDLC to security use cases development process
So now you have the budget for buying nice tools and hiring bright minds. Getting Splunk deployed and data flowing in will soon be past. What’s next then? How to benefit from this investment? Enter Use Cases Development. It takes a great deal of time until a use case can be fully leveraged. But before…