FISA

Data filtering techniques for threat hunting Why is filtering data important? Well, Splunk allows you to store gigabytes, terabytes, or even petabytes of full-fidelity security data — yet the evidence you are seeking during a hunt or investigation is often contained in just a few events.  You need to eliminate the noise and expose the signal. To do this, we will focus on three specific techniques for filtering data that you can start using right away. For all three tutorials, below, we use data from our Boss of the SOC v1.0 data set.  Technique 1. It’s About Time: Specifying a time range The most obvious (but often overlooked) technique for reducing the number of events returned by your Splunk search — and getting you closer to actionable results — is to specify an appropriate time range.  If you can put a left and right boundary on the timeline of your hunt, you enable Splunk to ignore events from time periods that have nothing to do with your hypothesis, ...

S plunk is the platform for a million use cases, used to investigate operational data across security, observability, fraud, business intelligence and many other domains. But, in my time at Splunk, I’ve come to realize that all of our customers face challenges that stem from the same core problem:  Within exploding data volumes, finding the anomalously behaving entities that are most threatening to the resilience of their organization. Introducing the Splunk App for Behavioral Profiling , a collection of workflows which enable you to operationalise detection and scoring of behavioral anomalies at scale in complex environments, correlated to profile and highlight the entities that are affecting resilience - designed to help:  Fraud Teams tasked with locating increasingly sophisticated attackers that employ evolving methods across physical and digital channels to avoid simplistic detection rules. IT Operations supporting modern infrastructure, services and solu...

  Navigating the Maintenance Dashboard When you access the Maintenance Dashboard within the CMC app, your attention is immediately drawn to the informative card displaying details about the "next maintenance window" scheduled for your deployment within the next 30 days. This card appears only if you have a Splunk-initiated maintenance planned within a month. It provides valuable information such as the Maintenance Type, Maintenance ID, scheduled start time, and a status progress timeline, offering daily updates on the status of your maintenance window. For a more comprehensive view, the bottom section of the Maintenance Dashboard features a table that includes additional details about the operation types (e.g., Splunk upgrades, App upgrades) involved for each maintenance window. By default, the table is filtered to show all upcoming maintenance activities within the next 30 days, including the "next maintenance window." In this screenshot we see the ...

Understanding DNS exfiltration When we talk about DNS exfiltration, we are talking about an attacker using the DNS protocol to tunnel (exfiltrate) data from the target to their own host. You could hypothesize that the adversary might use DNS to either: Move sensitive files out of your organisation. Use it as a side channel for communications with malicious infrastructure.  With the right visualizations and search techniques, you may be able to spot clients behaving abnormally when compared either to themselves or their peers!  Hunting for threats in DNS In the section below, there are showed some ways to detect weirdness with DNS based on the techniques highlighted above. NOTE: Adjust the sourcetypes/tags/eventtypes to suit your environment. Top 10 Clients by Volume of Requests Capturing spikes or changes in client volumes may show early signs of data exfiltration. tag=dns message_type="Query"  | timechart span=1h limit=10 usenull=f useother=f count AS Requ...

  Splunk Enterprise 8.2, has focused their development offers across a number of themes: insights, admin productivity, data infrastructure, and performance. Be sure to check out Splunk Docs for a complete and definitive guide on how and where you can access and use these new features. Insights Dashboard Studio is now generally available (GA) and is now integrated directly into Search & Reporting, alongside the Classic Dashboard experience. Dashboard Studio is the new and intuitive dashboard-builder for creating visually-compelling dashboards with advanced visualization tools and fully customizable formats. Also, Splunk Secure Gateway (SSG) App is now delivered as part of Splunk Enterprise. SSG lets you configure your Connected Experiences mobile deployment and register devices to a Splunk instance. Dashboard Studio in action Admin Productivity Spunk has done a lot in this release to help admins do more with less. The Splunk Health Report also now displays in...

Expansions in the cloud aren’t slowing down, and when an issue arises in these hybrid environments, log data is critical to help engineering teams understand the ‘why’ behind the incident. Paired with real-time metrics in a single, unified experience, log data can help teams speed troubleshooting and resolution and optimize performance to prevent future incidents. But often teams may end up paying twice for the same log data they’re already using to support IT and security use cases.  If your organization already uses Splunk Platform for logs, Log Observer Connect within Splunk Observability Cloud can seamlessly integrate your log data from Splunk Cloud or Splunk Enterprise. And with the new log timeline feature, along with log view, users can import their logs into their Splunk Observability Cloud dashboards and troubleshooting workflows to find and solve problems faster–without having to pay for the same data twice.  Explore Your Logs and Metrics in a Single Vie...

  A survey of 1,520 cybersecurity and IT leaders published today found more than half (52%) reporting their organization suffered a data breach in the past two years, with 62% experiencing monthly unplanned downtime attributable to a cybersecurity incident. The survey, conducted by Enterprise Strategy Group (ESG) on behalf of Splunk , also found that, on average, it takes 2.4 months to discover bad actors on corporate networks. Over a third (39%) of the respondents said cybersecurity incidents have directly harmed their competitive position, with 31% also noting those incidents have reduced shareholder value. As a result, cybersecurity budgets are increasing, with 95% of respondents reporting their security budgets will increase over the next two years, with 56% describing those increases as significant. The survey also found 81% of respondents are working for organizations that are converging aspects of their security and IT operations. Respondents believe this conver...

Splunk Observability recently announced several new enhancements to reduce noise and provide more visibility when isolating problems in your environments. Specific to applications and services, whether you operate monolithic or microservices architectures these releases help you easily investigate problems in complex environments. Here’s a roundup of the recent Splunk APM capability releases. Easily Identify Problems From Billions of Traces Trace Analyzer helps to confidently detect patterns across billions of transactions and find specific issues for any tag, user, or service. Now you can identify unknown unknowns by running ad-hoc aggregations for all your trace data to find specific issues in any tag. Troubleshoot specific user issues by visualizing when patterns from errors and latency began and ended, and receiving the exact traces experienced during a problem. Understand the radius of an issue across customer groups by easily grouping and filtering high cardinality tags...