This document contains an agenda and overview for a presentation on using Splunk for operational security intelligence. The presentation discusses using lookup files to enhance security posture with threat intelligence, the common information model for ingesting and normalizing security data from various sources, investigating specific Windows event IDs to tackle advanced attacks, and highlighting popular security-related apps from Splunkbase. The document also contains disclaimers about forward-looking statements and a roadmap being subject to change.
3. Agenda
• An overview of the Splunk security universe
• Using lookup files to enhance your security posture - A.K.A. threat intelligence
• The Common information model
• 6 windows event ID’s to tackle advanced attacks
• "Best of" Security related splunkbase apps
5. New approach to security operations is needed
• Human directed
• Goal-oriented
• Dynamic (adjust to changes)
• Coordinated
• Multiple tools & activities
• New evasion techniques
• Fusion of people, process, &
technology
• Contextual and behavioral
• Rapid learning and response
• Share info & collaborate
• Analyze all data for relevance
• Leverage IOC & Threat Intel
THREAT Attack Approach Security Approach
5
TECHNOLOGY
PEOPLE
PROCESS
37. • Pivot is an excellent interface to explore a
dataset you don’t know yet – or for a business
user
• Tstats can search distributed .tsidx files
(accelerated DM’s)
• Use the search term – FROM
datamodel=<datamodelname>
• For example:
• | tstats avg(foo) FROM
datamodel=buttercup_games WHERE
bar=valuex
• You should expect dramatically faster search
results using this method
Tstats and/or pivot– use them!
49. • Building block for URL manipulation
• Correctly parse URL’s and complicated TLD’s
• Explore entropy of data
• Also great for DNS investigation
• The domain aaaaa.com has a Shannon
Entropy score of 1.8 (very low)
• The domain google.com has a Shannon
Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-
890209uC.4.com has a Shannon Entropy
score of 3 (rather high)