If you are into Splunk rules development, I am pretty sure this post will relate to you. But before entering the main topic, let me quickly define what a SIEM use case is about, which is another trendy, hot topic in the Infosec industry today. What is a SIEM use case after all? For answering…
Tag: splunk
It’s about time to change your correlation searches timing settings
I wrote about the problem of delayed events in a previous post, so here the focus is on how to overcome that problem when writing a rule or a correlation search (CS). What’s the problem? Most if not all App/TA developers extract _time from the log generation time. And that’s the best practice since we…
SIEM tricks: dealing with delayed events in Splunk
So after bugging the entire IT department and interrogating as many business teams as possible to grant you (the security guy) access to their data, you are finally in the process of developing your dreamed use cases. Lucky you! Most SIEM projects already fall apart before reaching that stage. Please take the time to read…
Splunk/ES: dynamic drilldown searches
One of the advantages of Splunk is the possibility to customize pretty much anything in terms of UI/Workflow. Below is one example on how to make dynamic drilldown searches based on the output of aggregated results (post-stats). Even though Enterprise Security (ES) comes with built-in correlation searches (rules), some mature/eager users leverage Splunk’s development appeal…
Honing in on the Homeless – the Splunkish way
Have you noticed Splunk just released a new version, including new data visualizations? I had been eager to start playing with one of the new charts when yesterday I came across a blog post by Bob Rudis, who is co-author of the Data-Driven Security Book and former member of the Verizon’s DBIR team. In that…
My TOP 5 Security (and techie) talks from Splunk .conf 2015
If you are into Security and didn’t have an opportunity to attend the Splunk conference in Las Vegas this year (maybe you’re busy playing Blackjack instead?), here’s what you can not miss. The list is not sorted in any particular order and, whenever possible, entries include presenters’ Twitter handles as well as takeaways or comments…
Splunk > Self-Learning Path & The Community Factor
Splunk is gaining tremendous traction in the market due to its ability to harness the value of machine data. The idea here is to highlight a few reasons for such success: free-access and community driven approaches. Being familiar with the ways in which knowledge can be freely attained is a great advantage. Coupled with your…
My 1st Splunk app: RAW Charts
After some days playing around with a few interesting apps, I’ve decided to give it a try, and learn how to integrate RAW data visualization project into Splunk. It turns out, by reading the (latest) right App Development documentation (thanks IRC!) and checking good examples, it’s quite an easy job, especially if you are already…
Security Analytics: having fun with Splunk and a packet capture file
It’s been quite a long time since my last post here. I’m now taking the opportunity to share one article I wrote about Splunk , which might be of some help to the community. Since I’ve been using that technology for a while, I’ve decided to leverage such knowledge in order to renew one GIAC…