If you are into Splunk rules development, I am pretty sure this post will relate to you. But before entering the main topic, let me quickly define what a SIEM use case is about, which is another trendy, hot topic in the Infosec industry today. What is a SIEM use case after all? For answering…
Tag: siem
It’s about time to change your correlation searches timing settings
I wrote about the problem of delayed events in a previous post, so here the focus is on how to overcome that problem when writing a rule or a correlation search (CS). What’s the problem? Most if not all App/TA developers extract _time from the log generation time. And that’s the best practice since we…
SIEM tricks: dealing with delayed events in Splunk
So after bugging the entire IT department and interrogating as many business teams as possible to grant you (the security guy) access to their data, you are finally in the process of developing your dreamed use cases. Lucky you! Most SIEM projects already fall apart before reaching that stage. Please take the time to read…
Splunk/ES: dynamic drilldown searches
One of the advantages of Splunk is the possibility to customize pretty much anything in terms of UI/Workflow. Below is one example on how to make dynamic drilldown searches based on the output of aggregated results (post-stats). Even though Enterprise Security (ES) comes with built-in correlation searches (rules), some mature/eager users leverage Splunk’s development appeal…
Opstune.com 