Splunkworkshop Analyticssiem

2 0 1 6 S P LU N K I N C . CO N F I D E N T I A L .
I N
T2E0R1NA
7 SLPU
LUSE
N KO N
I NC
LY..
Splunk Enterprise Security:

The Analytics SIEM
2 0 1 7 S P LU N K I NC .
Agenda:
Course Outline
2 0 1 7 S P LU N K I NC .
Section 1: bad news/ good news Section 5: Security Domains

Section 2: Whats a SIEM? Section 6: Security Intelligence
Section 3: Security Posture Section 7: Investigative Journal
& Incident Review Section 8: Wrap-Up
Section 4: Event Investigators Section 9: Appendix
and Adaptive Response
3
2 0 1 7 S P LU N K I NC .
Section 1:
good news | bad news
2 0 1 7 S P LU N K I NC .
the anatomy of a breach

Modern APT are Essentially Attack Transactions but the attacker is trying to hide from you
2 0 1 7 S P LU N K I NC .
Gain access Create additional Conduct

Technology Transaction to system environment business
Web
Threat Data Portal
.pdf
Network Proxy log

MAIL
Access/Security C2 communication WEB
to blacklist
Events that
contain link to file
What created the How was

program/process? process started?
Endpoint
Access/Security Process making
C2 traffic
.pdf Calc.exe Svchost.exe
13
2 0 1 7 S P LU N K I NC .
First
the bad news
2 0 1 7 S P LU N K I NC .
Security Today:
2 0 1 7 S P LU N K I NC .
30% of phishing
emails get opened
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
one minute and forty

seconds to open a malicious
email upon receipt
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
one in ten users open

the attachments
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
three minutes and forty

five seconds to open an
attachment upon receipt
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
3% of users alert
management of a
possible phishing email
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
it only takes one user

to open one email to
compromise an entire
network
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
two-thirds of all breaches

are the result of weak or
stolen passwords
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
new vulnerabilities come out every day
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
99% of attacks
compromise
systems within days
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
1/3rd of breaches are

detected by a 3rd party
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
only 4% of alerts are investigated.

2 0 1 7 S P LU N K I NC .
59,476 un-investigated
tickets.
1 single incident.
40,000,000 customer
records.
2 0 1 7 S P LU N K I NC .
46% of organizations
dont even have a SOC
** 2016
2016 Verizon
Verizon breach
breach digest
digest
and no one is immune
2 0 1 7 S P LU N K I NC .
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
prevention starts with the SOC

2 0 1 7 S P LU N K I NC .
now, the good news

2 0 1 7 S P LU N K I NC .
3 equal parts make a mature security program
Process
Technology People
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
lets do some maths!

2 0 1 7 S P LU N K I NC .
the average analyst handles between

14 and 28 cases in an 8 hour shift.
2 0 1 7 S P LU N K I NC .
assuming 25 cases per day.
according to Optiv
2 0 1 7 S P LU N K I NC .

20 minutes per case.
2 0 1 7 S P LU N K I NC .

500 cases per month.
2 0 1 7 S P LU N K I NC .

500 cases per month.
= 166 hours
2 0 1 7 S P LU N K I NC .
20 days.
2 0 1 7 S P LU N K I NC .
what if we could cut that in half?

2 0 1 7 S P LU N K I NC .
166 hours
2
= 83 hours
2 0 1 7 S P LU N K I NC .
88 hours
8
= 10 days
2 0 1 7 S P LU N K I NC .
you get 10 days back.

2 0 1 7 S P LU N K I NC .
per month.
2 0 1 7 S P LU N K I NC .
what could you do with an additional 10 days per month?

2 0 1 7 S P LU N K I NC .
up your security training?

2 0 1 7 S P LU N K I NC .
work on automating basic alerting?

2 0 1 7 S P LU N K I NC .
concentrate on accuracy over speed?

2 0 1 7 S P LU N K I NC .
write a haiku?

2 0 1 7 S P LU N K I NC .
more family time?
write a haiku?

2 0 1 7 S P LU N K I NC .
start a fight club?

more family time?
write a haiku?

2 0 1 7 S P LU N K I NC .
the possibilities are endless.

2 0 1 7 S P LU N K I NC .
theres the old way.

2 0 1 7 S P LU N K I NC .
escalate or ignore.
2 0 1 7 S P LU N K I NC .
then theres the right way.

2 0 1 7 S P LU N K I NC .
find out wtf is actually going on.

2 0 1 7 S P LU N K I NC .
lets work smarter, not harder

2 0 1 7 S P LU N K I NC .
and Ill show you how.

2 0 1 7 S P LU N K I NC .
Section 2:
Whats a SIEM?
2006 called. They want their SIEM back.
2 0 1 7 S P LU N K I NC .
Legacy SIEM
Firewall Authentication Vulnerability

Scans
Intrusion Data Loss Anti-

Detection Prevention Malware
All Machine Data is Security Relevant
2 0 1 7 S P LU N K I NC .
Threat Intelligence
Email Web Desktops Servers DHCP/ DNS CMBD
Traditional SIEM
Custom Apps Network
Hypervisor Badges Firewall Authentication Vulnerability Flows
Scans
Intrusion Data Loss Anti- Physical Transaction

Storage Mobile Malware Access Records
Detection Prevention
2 0 1 7 S P LU N K I NC .
learning objectives
Overview to Splunk Enterprise Security (ES)
Introduce notable event
How to login to ES
Introduce ES home page
Enterprise Security Overview
2 0 1 7 S P LU N K I NC .
Out of the box content in all its glory

- alerts | reports | dashboards
Captures data from all sorts of
device | systems | applications, then
smacks it up, flips it, and rubs it
down
Built on top of Splunk Core (so you
can still get down and get funky with
SPL).
Made with real bits of jaguar, so you
know its good.
Rapid 5 Year Ascension in Gartner SIEM MQ
2 0 1 7 S P LU N K I NC .
2011 2016
Leader
Niche Player
Splunk Positioned as a Leader in Security Analytics Platforms
2 0 1 7 S P LU N K I NC .
Splunk is a Leader in
The Forrester Wave:
Security Analytics
Platforms, Q1 2017*
Splunk receives highest possible
scores in 17 criteria
Report is available for redistribution:

https://www.splunk.com/goto/forrester-wave-security-analytics-platform
*The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester

and Forrester Wave are trademarks of Forrester Research, Inc. The
Forrester Wave is a graphical representation of Forrester's call on a market
and is plotted using a detailed spreadsheet with exposed scores, weightings,
and comments. Forrester does not endorse any vendor, product, or service
depicted in the Forrester Wave. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change*.
Actionable Info Through
2 0 1 7 S P LU N K I NC .
Normalization
Any Source, Type, Volume
Security Domains
Online
Services
On-the-Fly
Access
Web
On-
Premises
Services
Data Normalization
Security GPS
Servers
Location
Endpoint
Packaged
Applications
Networks
Desktops
Private Storage
Custom
Cloud Messaging Applications
Telecoms
RFID Network
Online Energy
Shopping Meters
Cart Databases
Public Web Call Detail Identity
Cloud Clickstreams Records
Smartphones
and Devices
Data Sources Required
2 0 1 7 S P LU N K I NC .
Network Endpoint Threat Intelligence Access/Identity

Data Sources Required
2 0 1 7 S P LU N K I NC .
3rd party threat data Known relay/C2 sites, infected sites, IOC,
Open source blacklist attack/campaign intent and attribution
Internal threat intelligence
Threat intelligence
Firewall, IDS, IPS Web Proxy

Who talked to whom, traffic, malware download/
DNS NetFlow
Network
delivery, C2, exfiltration, lateral movement
Email
Network
AV/IPS/FW Performance Running process, services, process owner, registry

Malware detection OS logs mods, file system changes, patching level, network
Config Management File System connections by process/service
Endpoint
Directory Services Application

Asset Mgmt. Services Access level, privileged use/escalation, system
Access/Identity Authentication Logs VPN, SSO ownership, user/system/service business criticality
2 0 1 7 S P LU N K I NC .
Single Platform for Security Intelligence
INCIDENT REAL-TIME DETECT FRAUD INSIDER

SECURITY &
INVESTIGATIONS MONITORING OF UNKNOWN DETECTION THREAT
COMPLIANCE
& FORENSICS THREATS
REPORTING KNOWN THREATS
Enterprise Security Home
2 0 1 7 S P LU N K I NC .
Enterprise Security Home (cont.)
2 0 1 7 S P LU N K I NC .
Click Security Posture to view

the Security Posture dashboard,
which provides a real-time
overview of your organization's
security posture
Click Incident Review to see the

Incident Review dashboard,
enabling you to view and work
with current notable events
Enterprise Security Home (cont.)
2 0 1 7 S P LU N K I NC .
Click Documentation to
view the Splunk App for
Enterprise Security
documentation
Click Community to
connect with other Splunk
users on Splunk Answers
2 0 1 7 S P LU N K I NC .
lab time!
lets get ready to rumble!
Enterprise Security Hands-On: Whats your Birth Month?
- If you were born January through March: https://54.227.105.231

- If you were born April through June: https://54.88.149.63
- If you were born July through September: https://184.72.210.97
- If you were born October through December: https://54.90.243.77
Username: demo Password: atlanta2017

Briefly explore the Enterprise Securitys navigation menu
1. Click Security Posture to view the Security Posture dashboard, this

dashboard provides a near real-time overview view into elements of
an organization's security posture
2. Click Incident Review to view the Incident Review dashboard, this
dashboard provides a view into recent notable events that have
occurred
3. Click Documentation to view the Enterprise Security documentation
hosted on docs.splunk.com
4. Click Community to connect with other Splunk users on
answers.splunk.com
2 0 1 7 S P LU N K I NC .
Section 2:
Dashboard Overview
2 0 1 7 S P LU N K I NC .
Learning Objectives for this Section

1. Introduce the default ES dashboards
2. Describe common dashboard
features
3. Introduce Extreme Search
4. Introduce Key Indicators
Dashboard Overview
2 0 1 7 S P LU N K I NC .
Splunk Enterprise Security

provides a range of
dashboards that form a high-
level overview of all security
threats on your system
Default Dashboards
2 0 1 7 S P LU N K I NC .
Security Posture Audit

Incident Review Search
My Investigations Configure
Glass Tables
Security Intelligence
Security Domains
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
Common Dashboard Elements

Dashboard Filters
2 0 1 7 S P LU N K I NC .
Many dashboards have a filter bar to restrict the view on the current dashboard to
events that match the selected criteria
Dashboard Drilldowns
2 0 1 7 S P LU N K I NC .
The tables and charts that comprise an

ES dashboard presents a consolidated
view of the events
To see a detailed breakout of the
events, click a point or segment on any
chart, or a row in a table
Panel Editor
2 0 1 7 S P LU N K I NC .
Workflow Actions
2 0 1 7 S P LU N K I NC .
Enable interactions between

specified fields in your data
and other applications or
web resources
The Event Action and

Action menus contain the
relevant workflow actions, and
are available on any
dashboard that displays the
source events
Extreme Search
2 0 1 7 S P LU N K I NC .
An enhancement to the Splunk

Enterprise search language
(SPL)
As implemented in ES, you can
use the Extreme search
commands to:
Build dynamic
thresholds based upon
event data
Provide context
awareness by replacing
event counts with natural
language
Extreme Search | Example
2 0 1 7 S P LU N K I NC .
In the Malware Center dashboard, the Key Security Indicator Total Infections
displays the total number of systems with malware infections over the last 24 hours
Extreme Search
2 0 1 7 S P LU N K I NC .
The same indicator using Extreme search displays the relevant information, but
includes a depth that was not available with the prior Total Infections indicator
Key Indicators
2 0 1 7 S P LU N K I NC .
The Enterprise Security app contains a number of pre-defined key indicators,

Each is use case based:
a value indicator
a trend amount
a trend indicator
a threshold (to indicate the importance or priority of the value count)
Key indicators are populated by searches that represent an event count over time
2 0 1 7 S P LU N K I NC .
Section 3:
Security Posture &
Incident Review
2 0 1 7 S P LU N K I NC .
whats a notable event?

2 0 1 7 S P LU N K I NC .
Its a correlated alert.

Security Posture Dashboard
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
How Urgency of an Event is Assigned
2 0 1 7 S P LU N K I NC .
The severity of an event and the priority are combined to generate the urgency of an event.
The urgency allows events to be weighted according to the asset, thus causing events
against higher priority assets to be treated with higher urgency.
Incident Review Dashboard
2 0 1 7 S P LU N K I NC .
56
2 0 1 7 S P LU N K I NC .
lab time!
Start high. Get low. From Security Posture to Incident Review.
now its your turn.
add some additional KPIs to your
dashboard.
drilldown into critical urgency.
where does that take you?
explore some of the notable events in the
Incident Review dashboard.
take ownership of an alert.
now investigate.
whats your next step?
Pivot through some of the links.
Full disclosure: Some of the external links arent configured.
2 0 1 7 S P LU N K I NC .
Section 4:
Asset investigator, identity
investigator, adaptive response
Event Investigator Dashboards
2 0 1 7 S P LU N K I NC .
Visually aggregates security-related events by categories over time

using swim lanes
Each swim lane represents an event category, such as authentication,

malware, or notable events
An analyst can visually link activity across the event categories, and
form a complete view of a host or a users interactions in the
environment
2 0 1 7 S P LU N K I NC .
Asset Investigator
Asset Investigator
2 0 1 7 S P LU N K I NC .
Also available for ad-hoc searching by browsing to Event Investigator > Asset Investigator in the
main menu: An analyst uses the dashboard to triage an asset's interactions with the environment
2 0 1 7 S P LU N K I NC .
Using the Asset Investigator Dashboard
Contains multiple event categories bound to swim lanes

Multiple
Multiple swim
swim Each event category represents a data model with relevant
lanes
lanes are
are events
displayed
displayed For example, the Malware Attacks swim lane displays events
simultaneously from an anti-virus management or other malware data source
simultaneously scoped to the asset searched
to
to assist
assist the
the
analyst
analyst in
in tracking
tracking
the
the actions ofof an
an
asset
asset across
across
event
event categories
categories
2 0 1 7 S P LU N K I NC .
lab time!
lets do this together
make sure 10.11.36.20 is in your search bar.
change timeline to Last 7 days.
click one of the blue bars.
If this were an actual breach,
what shape would this be in?
2 0 1 7 S P LU N K I NC .
Identity Investigator
2 0 1 7 S P LU N K I NC .
Identity Investigator
Displays information about known or unknown user identities across a pre-defined set of
event categories, such as change analysis and malware
Initiated through a workflow action from any dashboard that displays events with network
source or destination address
Available for ad-hoc searching by browsing to Security Intelligence > User Intelligence in the
Enterprise Security app, typing in the user credential in the search bar with an optional wildcard,
setting a time range, and choosing Search
2 0 1 7 S P LU N K I NC .
lab time!
lets do this together!
Navigate to: Security Intelligence >
User Intelligence > Identity Investigator
search for user Hax0r
(yes. Im serious.)
lets switch back to the Incident Review tab.
2 0 1 7 S P LU N K I NC .
adaptive response
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
lab time!
(that was quick.)
Adaptive Response
Adaptive Response
2 0 1 7 S P LU N K I NC .
Adaptive Response
2 0 1 7 S P LU N K I NC .
Adaptive Response
2 0 1 7 S P LU N K I NC .
your turn. peruse the response actions.
see what comes out of the box.
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
Section 5:
Security Domains
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
Learning Objectives for This Section

Introduce the Access Domain dashboards
Introduce the Endpoint Domain dashboards
Introduce the Network Domain dashboards
Introduce the Identity Domain dashboards
2 0 1 7 S P LU N K I NC .
Access Domain
2 0 1 7 S P LU N K I NC .
Endpoint Domain
2 0 1 7 S P LU N K I NC .
Network Domain
2 0 1 7 S P LU N K I NC .
Identity Domain
2 0 1 7 S P LU N K I NC .
lab time!
Security Domains
youre trying to track down lateral movement.
what dashboards would help identify it?
what would cause a time skew on hosts?
why is that important?
2 0 1 7 S P LU N K I NC .
Section 6:
Security Intelligence
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
Risk Analysis
2 0 1 7 S P LU N K I NC .
companies are changing to a risk based strategy

Risk Analysis Dashboard
2 0 1 7 S P LU N K I NC .
Displays the recent

changes to risk scores
and the objects that
have the highest risk
score
You can review this
dashboard to assess
the relative change in
risk scores and
examine the events
that contributed to an
object's risk score
Risk Analysis Dashboard
2 0 1 7 S P LU N K I NC .
Use the Risk Analysis Dashboard
2 0 1 7 S P LU N K I NC .
Use to review changes to an object's risk score, determine the source of the
risk increase, and decide if additional action is warranted
2 0 1 7 S P LU N K I NC .
lab time!
is it getting risky in here?
what users are the highest risk in an organization?
2 0 1 7 S P LU N K I NC .
Protocol Intelligence
2 0 1 7 S P LU N K I NC .
Protocol Center
2 0 1 7 S P LU N K I NC .
lab time!
Whats the protocol?
2 0 1 7 S P LU N K I NC .
DNS Activity
2 0 1 7 S P LU N K I NC .
DNS Search
2 0 1 7 S P LU N K I NC .
SSL Activity
2 0 1 7 S P LU N K I NC .
Email Activity
2 0 1 7 S P LU N K I NC .
Email Search
2 0 1 7 S P LU N K I NC .
Threat Intelligence
2 0 1 7 S P LU N K I NC .
Threat Activity Dashboard

Threat Intelligence | Threat Activity Dashboard
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
Threat Artifacts Dashboard

2 0 1 7 S P LU N K I NC .
lab time!
are you threatening me?
2 0 1 7 S P LU N K I NC .
User Intelligence
2 0 1 7 S P LU N K I NC .
Access Anomalies
2 0 1 7 S P LU N K I NC .
User Activity
2 0 1 7 S P LU N K I NC .
Web Intelligence
2 0 1 7 S P LU N K I NC .
HTTP User Agent Analysis

HTTP User Agent Analysis Dashboard
2 0 1 7 S P LU N K I NC .
Use to investigate long user agent

strings in your proxy data and
determine if there is a possible
threat to your environment
A bad user agent string,
where the browser name
misspelled (ex. Mozila) or
the version number is
completely wrong (ex.
v666), can indicate an
attacker or threat
2 0 1 7 S P LU N K I NC .
*note: SANS has a fantastic User Agent Analysis

paper you should check out.
https://www.sans.org/reading-room/whitepapers/malicious/user-agent-field-analyzing-detecting-abnormal-malicious-organization-33874
2 0 1 7 S P LU N K I NC .
Traffic Size Analysis

2 0 1 7 S P LU N K I NC .
URL Length Analysis

URL Length Analysis Dashboard
2 0 1 7 S P LU N K I NC .
Looks at any proxy or

HTTP data that includes
URL string information
Any traffic data
containing URL
string or path
information --
firewall, router,
switch, or network
flows -- can be
summarized and
viewed in this
dashboard
what legitimate sites might have an
extremely long URL?
2 0 1 7 S P LU N K I NC .
HTTP Category Analysis

HTTP Category Analysis Dashboard
2 0 1 7 S P LU N K I NC .
Looks at categories of traffic data

Any traffic data -- firewall,
router, switch, or network flows --
can be summarized and viewed
in this dashboard
For info on Websense:

http://www.websense.com/con
tent/support/library/web/v7
6/siem/siem.pdf
2 0 1 7 S P LU N K I NC .
New Domain Analysis

2 0 1 7 S P LU N K I NC .
lab time!
well thats new
Under New Domain Analysis, find a
list of machines that went to that
URL, and the activity taken.
2 0 1 7 S P LU N K I NC .
lab time!
security intelligence
the average breach lasts (roughly) 240 days.
where would you look to identify a breach
happening on day one?
2 0 1 7 S P LU N K I NC .
Section 7:
Investigative Journal
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
lab time!
security intelligence
its your turn!
- create an investigation.
- add some notable events.
- add some notes to describe the activity.
2 0 1 7 S P LU N K I NC .
Section 8:
Wrap-Up
2 0 1 7 S P LU N K I NC .
Splunk Quick Starts for Security Investigation
Infrastructure Quick Start Apps / Add-Ons Endpoint Quick Start Apps / Add-Ons
2 0 1 7 S P LU N K I NC .
continuing education
Splunk Tutorial (The Free eLearning Module):
Search Tutorial Manual:
Splunkbook.com
Splunk Education Videos:
2 0 1 7 S P LU N K I NC .
to action
2 0 1 7 S P LU N K I NC .
.conf2017
The 8th Annual Splunk Conference
SEPT 25-28, 2017

Walter E. Washington Convention Center
Washington, D.C.
SAVE OVER $450

You will receive an email after registration
opens with a link to save over $450 on the
full conference rate.
Youll have 30 days to take advantage of this
special promotional rate!
conf.splunk.com
Thank you for your time!
We do appreciate it.
2 0 1 7 S P LU N K I NC .
Section 9:
Appendix
2 0 1 7 S P LU N K I NC .
Manual Notable Event

Creation
Manual Notable Event Creation
2 0 1 7 S P LU N K I NC .
A new notable event can be created from an event you are viewing in the Access Search,
Malware Search, Traffic Search, Intrusion Search, Proxy Search, or Search dashboards
Create a new notable event from an existing event shown as part of a search result or by using New
Notable Event in the Configure panel
A non-administrator role, such as an ES analyst, needs to have an administrator grant additional

permissions to the role, in order to manually create and edit a new notable event
Note: Do not create a new notable event from an existing notable event
For instance, do not create a new notable event from an event shown on the Incident
Review dashboard
Create a Notable Event from Existing Event
2 0 1 7 S P LU N K I NC .
To create a new notable event

from an event in the Malware
Search dashboard:
1. Finalize the search in the
Malware Search
dashboard
2. Select "Create notable
event" from the Options
menu for the event
A notable event is
created using parameters of the
selected event
2 0 1 7 S P LU N K I NC .
Notable Event Suppression

Notable Event Suppressions
2 0 1 7 S P LU N K I NC .
A search filter that hides any notable events matching the search conditions
The suppression filter is created to stop an excessive or unwanted number of notable
events from being displayed on the Incident Review dashboard
Example | you may want to prevent certain types of notable events from appearing on
the Incident Review dashboard or contributing to defined alert thresholds
Suppression is applied to events that are already in the notable index

A suppression filter hides notable events so they will not be seen
Throttling is applied to events before they are added to the notable index preventing
them from being created
Create a Suppression From Incident Review
2 0 1 7 S P LU N K I NC .
1. Find the notable event that you want to suppress in the Incident Review dashboard
2. From the Actions select: Suppress events to/from... which opens the New Notable
Event Suppression page
3. Review the contents of the fields
4. An Expiration Time field is available to define a time limit for the suppression filter and save
the changes
5. After the time limit is met, the suppression filter is disabled
6. To review the suppression filter, browse to Configure > Incident Management > Notable
Event Suppressions
Review Notable Event Suppressions
2 0 1 7 S P LU N K I NC .
To review the suppression filter, browse to Configure > Incident Management > Notable Event Suppressions
Create a Suppression from Configure
2 0 1 7 S P LU N K I NC .
1. Browse to Configure > Incident Management > Notable Event Suppressions

2. Click on New to create a new notable event suppression
3. Set the Name and Description used for the suppression filter
4. Populate the Search field with the search that finds the events to suppress
5. Set the Expiration Time (defines a time limit for the suppression filter)
6. If the time limit is met, the suppression filter is disabled
2 0 1 7 S P LU N K I NC .
Edit Notable Event Suppressions

2. Selecting a notable event suppression opens the Edit Notable Event Suppression page
3. Edit the Description and Search fields used for the suppression filter
2 0 1 7 S P LU N K I NC .
Disable Notable Event Suppressions

2. Select Disable in the Status column for the notable event suppression
Remove a Notable Event Suppression
2 0 1 7 S P LU N K I NC .
1. Browse to Settings > Event types

2. Search for the the suppression event: notable_suppression-<suppression_name>
3. Select delete in the Actions column for the notable event suppression
Suppression Activity Audit
2 0 1 7 S P LU N K I NC .
Enterprise Security tracks all suppression activity for auditing on the Suppression Audit dashboard
2 0 1 7 S P LU N K I NC .
Predictive Analytics
2 0 1 7 S P LU N K I NC .
Learning Objectives for This Section

- Introduce predictive analysis functionality
- How to create query
- How to turn query into correlated search
2 0 1 7 S P LU N K I NC .
Predictive Analytics Dashboard
Used to search for different varieties of

anomalous events in your data
Leverages the predictive analysis
functionality in Splunk to provide statistical
information about the results, and identify
outliers in your data
Filters are implemented in a series from
left to right
Example: Object filter is populated based
on the Data Model selection
Predictive Analytics Dashboard
2 0 1 7 S P LU N K I NC .
To analyze data, choose a data model, an object, a function, an attribute, and a time range and click Search
Dashboard Filters
2 0 1 7 S P LU N K I NC .
Filter by Description Action
Data Model Specifies the data model for the search. Available data models are shown Drop-down: select to filter by
in the drop-down list.
Object Specifies the object within the data model for the search. There must be a Drop-down: select to filter in
Data Model selection to apply an Object.
Function Specifies the function within the object for the search. Functions specify Drop-down: select to filter in
the type of analysis to perform on the search results. For example, choose
"avg" to analyze the average of search results. Choose "dc" to create a
distinct count of the results.
Attribute Specifies the constraint attributes within the object for the search. Drop-down: select to filter in
Attributes are constraints on the search results. For example, choose
"src" to look at results from sources. There must be a Object selection to
apply an Attribute.
Time Range Select the time range to represent. Drop-down: select to filter by
Use the available
Advanced dashboard
Access to filtersoptions.
the advanced predict to refine the results displayed Link:
on the dashboard
A window of optional panels
predict settings
Dashboard Panels
2 0 1 7 S P LU N K I NC .
Panel Description
Prediction Over Time The Prediction Over Time panel shows a predictive
analysis of the results over time, based on the time
range you chose. The shaded area shows results that
fall within two standard deviations of the mean value of
the total search results.
Outliers The Outliers panel shows those results that fall outside
of two standard deviations of the search results.
For more info on data models, associated objects, functions, and attributes visit the following link:
docs.splunk.com/Documentation/CIM/latest/User/Overview
2 0 1 7 S P LU N K I NC .
Correlation Search Builder

2 0 1 7 S P LU N K I NC .
The flow.
2 0 1 7 S P LU N K I NC .
1. Search for authentication source events from an application

2. Count the number of failures by user
3. If the count of authentication failures is >6 for a selected
time period, then execute an Adaptive Response action
2 0 1 7 S P LU N K I NC .
What data sources will answer the question?

2 0 1 7 S P LU N K I NC .
1. In this case, we are focused on authentication data, so the

Authentication data model will expose the underlying data
relevant to our analytic
2. Note that although a deep dive on data models in Splunk is
outside the scope of this workshop, it is beneficial to
understand what Splunk data models are and how they relate
to Splunk Enterprise Security
3. More information on data models in Splunk is available at
the link below:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutdatamodels
2 0 1 7 S P LU N K I NC .
so lets make one.

2 0 1 7 S P LU N K I NC .
Create a Correlation Search
1. To access this functionality, you will

need to have additional capabilities
added to your role by the Splunk
Administrator
2. From this dashboard, create a
correlation search based on the
search parameters for your current
predictive analytics search
This correlation search will create
an alert when the correlation
search returns an event
3. Click Save as Correlation Search...
to open the Create Correlation Search
dialog
2 0 1 7 S P LU N K I NC .
Create a Correlation Search (continued)
4. Select the Security domain and

Severity for the notable event created
by this search
5. Add a search name and search

description then click Save
6. To view and edit correlation searches,

go to Configure > General >
Custom Searches
Notify an Analyst
2 0 1 7 S P LU N K I NC .
A correlation search is available to notify an analyst if a notable event has not been triaged
1. Under General > Custom Searches, search for the Untriaged Notable Events
correlation search
2. Modify the search, changing the notable event owner or status fields as desired
3. Set the desired alert action
4. Save the changes
5. Enable the Untriaged Notable Events correlation search
2 0 1 7 S P LU N K I NC .
lab time!
correlation rule creation!
Add Filter Screenshot
2 0 1 7 S P LU N K I NC .
Risk Scoring
Example Scenario
Risk Scoring | Example Scenario
2 0 1 7 S P LU N K I NC .
In aggregate, this behavior seems

less interesting then if the same
behavior occurred on the
production DNS server
It's tempting to ignore or suppress

notable events coming from any
host that's a known jump server due
to the relative noise created
You need to know the host is being

monitored, but would prefer it was
measured under a different set of
rules
Risk Scoring | Example Scenario
2 0 1 7 S P LU N K I NC .
The host RLOG-10 is a jump server

that is generating several notable
events:
The correlation searches
Excessive Failed Logins, and
Default Account Activity
Detected are creating one notable
event a day for that system
As RLOG-10 is a jump server,

there are many network
credentials being used against this
host, and software or other utilities
may have been installed
Risk Scoring | Example Solution
2 0 1 7 S P LU N K I NC .
One solution is a new correlation

search that assigns a risk modifier
when the correlation matches on
hosts that serve as jump servers:
1. Use a whitelist to isolate the
jump servers from the
existing correlation searches
2. Create and schedule a new
correlation search based on
Excessive Failed Logins,
but isolate the search to the
jump server hosts and assign
a risk modifier alert type
only
Risk Scoring | Example Solution (cont.)
2 0 1 7 S P LU N K I NC .
3. Verify the risk modifiers are

applied to the jump server
hosts, raising their risk
score incrementally
With the new correlation
search, no notable
events will be created
for those hosts based
upon failed logins
Risk Scoring | Example Solution Summary
2 0 1 7 S P LU N K I NC .
As the relative risk score goes up, RLOG-10 can be compared to all network servers
and to other jump servers:
If the relative risk score for RLOG-10 exceeds its peers, that host would be
investigated by an analyst
If the risk scores of all jump servers are higher relative to other network hosts, an
internal security policy may need to be reviewed or implemented differently
For a deeper dive:

http://blogs.splunk.com/2014/08/12/risk-analysis-with-enterprise-security-3-1/
Additional Content:
2 0 1 7 S P LU N K I NC .
- Splunk Tutorial (The Free eLearning Module):

- Search Tutorial Manual:
- Splunkbook.com
- Splunk Education Videos:

Splunkworkshop Analyticssiem

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Splunkworkshop Analyticssiem

Caricato da

Copyright:

Formati disponibili

2 0 1 6 S P LU N K I N C . CO N F I D E N T I A L .

Splunk Enterprise Security:

Section 1: bad news/ good news Section 5: Security Domains

the anatomy of a breach

Gain access Create additional Conduct

Network Proxy log

What created the How was

.pdf Calc.exe Svchost.exe

one minute and forty

one in ten users open

three minutes and forty

it only takes one user

two-thirds of all breaches

new vulnerabilities come out every day

1/3rd of breaches are

only 4% of alerts are investigated.

prevention starts with the SOC

now, the good news

3 equal parts make a mature security program

lets do some maths!

the average analyst handles between

assuming 25 cases per day.

assuming 25 cases per day.

assuming 25 cases per day.

assuming 25 cases per day.

what if we could cut that in half?

you get 10 days back.

what could you do with an additional 10 days per month?

up your security training?

work on automating basic alerting?

up your security training?

work on automating basic alerting?

up your security training?

concentrate on accuracy over speed?

work on automating basic alerting?

concentrate on accuracy over speed?

more family time?

work on automating basic alerting?

concentrate on accuracy over speed?

start a fight club?

work on automating basic alerting?

concentrate on accuracy over speed?

the possibilities are endless.

theres the old way.

then theres the right way.

find out wtf is actually going on.

lets work smarter, not harder

and Ill show you how.

Firewall Authentication Vulnerability

Intrusion Data Loss Anti-

Intrusion Data Loss Anti- Physical Transaction

Out of the box content in all its glory

Report is available for redistribution:

*The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester

Network Endpoint Threat Intelligence Access/Identity

Firewall, IDS, IPS Web Proxy

AV/IPS/FW Performance Running process, services, process owner, registry

Directory Services Application

Single Platform for Security Intelligence

INCIDENT REAL-TIME DETECT FRAUD INSIDER

Click Security Posture to view

Click Incident Review to see the

- If you were born January through March: https://54.227.105.231