SlideShare una empresa de Scribd logo

SplunkLive! Washington DC May 2013 - Splunk Security Workshop

Splunk
Splunk
Tecnología
1 de 43
Splunk Security Workshop
Search and Discover the Bad Guys in <= 60 Minutes
Purpose ● Apply analytics to your data via Splunk ● Demonstrate simplicity of doing this ● Lower the barrier to entry to explore your data
Doesn't my new hotness do that? ● Yes, no, um, well, kinda ● Sec COTS software reports on what PM wanted ● Signature-based is helpful but misses a lot ● Anomaly can work, but … ● Amazing products exists, but don't do everything ● Maybe you don't have a new hotness ● “Your network” = “Your responsibility”
Who Am I? ● Sean Wilkerson, Partner/Consultant, Aplura
Who Am I? ● Sean Wilkerson, Partner/Consultant, Aplura ● ~15 Years of Network --> Systems --> InfoSec ● A Decade+ of Federal Log-Management ● Half Spent Deploy/Manage FOSS/SIM/SIEM ● Half Spent Deploy/Manage FOSS/Splunk ● SANS Log Mgmt Summits ● Splunk Pro Serv Partner Since 2008 ● Splunk makes me happy
Who Are You? ● You Know Splunk is Right for You ● You Know Key Splunk Concepts ● You Don't Have or Don't Want to Rely on Infosec COTS software ● You Are Analysts!! <--- Really important
Splunk 001 ● Complex and fast search for machine data ● Concept of “fields” (key=value) ● Thousands of built-in analytic combos (Learn 5-10 and you can do almost anything)
Splunk 101 ● Search (boolean) ● Fields (key=value with CIDR) ● Piped “|” expressions/functions ● Lookups ● The “pivot”
Quick Disclaimer ● Data exploration could take until ... ● This pres includes many analytic elements ● Not demoed data ● Data is not seeded with gems ● sample_data came from Fed site this week ● Eventgen.py is recirculating sample_data ● Let's explore it together
Content Available Now! Slides: aplura.com/splunklivedc BestPractice Doc: aplura.com/splunkbp ● Also: ● SplunkLiveDC 2012: aplura.com/splunklivedc2012 ● Look Before you SIM: aplura.com/lookbeforeyousim
General Analysis
What Time do you Have? ● Concept: Time is bad everywhere and this causes havoc during investigations. Do periodic time audits (it takes minutes with Splunk). As an analyst, you can validate your time BEFORE it is too late (during an investigation). ➢ * | eval timeDiff=_indextime-_time | timechart avg(timeDiff) by sourcetype ➢ sourcetype=firewalls | eval timeDiff=_indextime-_time | timechart avg(timeDiff) by host
Off-time Activity ● Concept: Off-time activity can indicate a suspicious system. Splunk events include special built-in fields that are “time” aware ➢ (NOT (date_wday="Sat" OR date_wday="Sun") AND (date_hour>=20 OR date_hour<7)) OR date_wday="Sat" OR date_wday="Sun" Or if you need to “create” those built-in fields ➢ * | eval date_wday=strftime(_time,"%a") | eval date_hour=strftime(_time, "%H") | search (NOT (date_wday="Sat" OR date_wday="Sun") AND (date_hour>=20 OR date_hour<7)) OR date_wday="Sat" OR date_wday="Sun"
Activity by IP Range ● Concept: Groups of systems often have different patterns. So, analyze them by their group. ➢ dest_ip=111.109.0.0/16 | top action ➢ sourcetype=checkpoint dest_ip=111.109.0.0/16 action=allowed ➢ eventtype=network* | top action by eventtype
Field Length Analysis ● Concept: Splunk makes analyzing the length of fields really easy. This is valuable to find malicious activity and mis-configurations ➢ | eval Length=len(_raw) | where Length>2000 ➢ len(http_referer) or len(domain) or len(uri) ...
Field/Data Manipulation ● Concept: During analysis, you often need new fields, or need to mangle a piece of data to help with analysis. ➢ tag=firewall | eval Firewall_Host=orig | top Firewall_Host ➢ tag=firewall | rex "orig=(?<Firewall_Host>d+.d+.d+.d+)|" ➢ tag=firewall | rex ";policy_name=(?<policy_name>[^]]+)]" Use mode=sed to change fields like action or _raw ➢ tag=firewall | rex field=action mode=sed "s/reject/blocked/" | top action
Date in Search ● Concept: Don't you hate having to take your hands off the keyboard to use your mouse to manipulate the Timepicker? Me too. ➢ earliest=-3h+22m latest=@h-10m ➢ earliest=-3d@d latest=-2d@d-1s
Firewall Analysis
Allows by Previous Drops ● Concept: A FW drop violates policy. Now, let's inspect “Accepts” from those “source IPs” ➢ NOT eventtype=network:all_src tag=firewall NOT action=allowed | dedup src_ip | table src_ip ➢ NOT eventtype=network:all_src tag=firewall action=allowed [search NOT eventtype=network:all_src tag=firewall NOT action=allowed | dedup src_ip | table src_ip] | top src_ip by dest_ip
Bytes Transfer Analysis ● Concept: Whether you are looking for malware payload or data exfiltration, bytes-transferred from your firewall/webpoxy/flow is GOOD! ➢ tag=flow | stats avg(bytes_out) by src_ip,dest_port Combine with off-time and IP range for exciting results
Port Scanning Analysis ● Concept: Not all attacks are slow and low. Use Splunk to sniff-out port scanners and add it to your watchlist for later. Port scanners ➢ tag=firewall NOT eventtype=network:all_src | stats dc(dest_port) as Port_Count by src_ip | where Port_Count>50 Host sweepers ➢ tag=firewall NOT eventtype=network:all_src | stats dc(dest_ip) as IP_Count by src_ip | where IP_Count>50
Webproxy Analysis
Browsed to IP ● Concept:Bare-ip browsing isn't illegal, but it shouldn't give you warm and fuzzies. Not always bad, but combined with other indicators bare ips are suspicious. ➢ tag=proxy | regex uri_domain="http://d+.d+.d+.d+" | rare uri_domain
Query Watchlist ● Concept: Use getwatchlist to pull any http(s)/ftp accessible delimited file into Splunk ● Tool: Getwatchlist ➢ | getwatchlist malwaredomains | outputlookup domain_watchlist.csv ➢ tag=proxy [ | inputlookup watchlist | table domain]
Web Activity Timing ● Concept:Compare web activity by time and ... ● Tool: Geoip ➢ tag=proxy | lookup geoip clientip ➢ tag=proxy | transaction clientip maxspan=60s maxpause=40s | lookup geoip clientip | stats dc(client_country) as Count by clientip | where Count>2
URI/URL/File/Ext Analysis ● Concept: Evaluate web activity by URI, URL, File, and extension. ➢ tag=proxy | stats dc(fileextension) as Count by clientip | sort -Count ➢ tag=proxy http_referer="-" http_user_agent="-" | stats dc(file) as Count by clientip | sort -Count
Http User Agent Analysis ● Concept: UA strings are incredibly valuable and can be used in a variety of ways. ● Tool: uas_parser ➢ tag=proxy | lookup uas_lookup http_user_agent | search ua_type="unknown" | stats count by http_user_agent ➢ tag=proxy | lookup uas_lookup http_user_agent | top ua_family ➢ ua_type, ua_company
Long URI no Referrer ^M ● Concept: Deep analysis of URI's with no referrer ➢ tag=proxy http_referer="-" method="GET" | strcat uri_path uri_query uri | replace *- with * in uri | eval uri_length = len(uri) | stats count by src_ip dest_ip dest_host http_referrer uri_length uri | sort ‐uri_length
URL Length ^M ● Concept: URL/URI length can be indicative of malicious activity. ➢ tag=proxy | eval "URL Length"=len(uri) | eventstats avg(URL Length) AS "Average URL Length" stdev("URL Length") AS "Stdev URL Length" | eval Notable=tonumber('Average URL Length')+2 * tonumber('Stdev URL Length') | where 'URL Length'> Notable | table "domain" Category "URL Length" Notable "Average URL Length" "Stdev URL Length" | sort -‐"URL Length"
DNS Analysis
DNS + Webproxy ● Concept: DNS has significance since it is frequently ignored and a popular C&C vector for bad folks. Correlate DNS and Webproxy? ➢ tag=proxy OR tag=dns [ | inputlookup watchlist | table domain]
More Ideas ● Compare entropy ● Webproxy: Repeated errors (e.g. 404s and 500) ● Webproxy: SQL Injection discovery ● Webproxy: Unique file/uri ● Auth: Failures to “admin” accounts ● DNS: Deeply nested hosts (lots of dots) ● DNS: TXT queries ● DNS: Failed lookups ● DNS: Systems doing a lot of lookups (or failed lookups) ● DNS: End points making strange queries (successive SOA) ● DNS: Odd TLDs ● DNS: Spikes in lookups ● DNS: Reverse lookups ● DNS: Short TTLs ● DNS: Responses with non-routable IPs
Wrap Up ● “Lower the cost of exploration” - ^M ● Easily implement/test/evaluate ● Applies common analytic logic ● Easily pivot to validate or adjust strategy
Additional Resources ● docs.splunk.com - Manuals ● splunk-base.splunk.com - User forums ● Cheatsheet - duh! ● #CONF - User Conference
Thanks! ^M = Monzy Merza Aplura's (Dave Shpritz and Dan Deighton) Splunk Enterprise Security Splunk Fed SEs (Mike Wilson, Scott Spencer)
Content Available Now! Slides: aplura.com/splunklivedc BestPractice Doc: aplura.com/splunkbp ● Also: ● SplunkLiveDC 2012: aplura.com/splunklivedc2012 ● Look Before you SIM: aplura.com/lookbeforeyousim
SplunkLive! Washington DC May 2013 - Splunk Security Workshop

Recomendados

SplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language BeginnerSplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language BeginnerSplunk
 
SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunk
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2Splunk
 
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...Splunk
 
SplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunk
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunk
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Splunk
 
Real-Time Status Commands
Real-Time Status CommandsReal-Time Status Commands
Real-Time Status CommandsSplunk
 

Recomendados

SplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language BeginnerSplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language BeginnerSplunk
 
SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunk
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2Splunk
 
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...Splunk
 
SplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunk
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunk
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Splunk
 
Real-Time Status Commands
Real-Time Status CommandsReal-Time Status Commands
Real-Time Status CommandsSplunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101Splunk
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search OptimizationSplunk
 
Splunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk
 
Splunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout SessionSplunk
 
Splunk live! ninjas_break-out
Splunk live! ninjas_break-outSplunk live! ninjas_break-out
Splunk live! ninjas_break-outSplunk
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
Splunk and map_reduce
Splunk and map_reduceSplunk and map_reduce
Splunk and map_reduceGreg Hanchin
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunk
 
Hunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout SessionHunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout SessionSplunk
 
Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Splunk
 
How Rackspace Cloud Monitoring uses Cassandra
How Rackspace Cloud Monitoring uses CassandraHow Rackspace Cloud Monitoring uses Cassandra
How Rackspace Cloud Monitoring uses Cassandragdusbabek
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...tboubez
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoSplunk
 
SplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's PizzaSplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's PizzaSplunk
 
December 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopDecember 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopYahoo Developer Network
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBMongoDB
 
Splunk Different
Splunk DifferentSplunk Different
Splunk DifferentSplunk
 
Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search Dojo Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search DojoSplunk
 

Más contenido relacionado

La actualidad más candente

SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101Splunk
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search OptimizationSplunk
 
Splunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk
 
Splunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout SessionSplunk
 
Splunk live! ninjas_break-out
Splunk live! ninjas_break-outSplunk live! ninjas_break-out
Splunk live! ninjas_break-outSplunk
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
Splunk and map_reduce
Splunk and map_reduceSplunk and map_reduce
Splunk and map_reduceGreg Hanchin
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunk
 
Hunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout SessionHunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout SessionSplunk
 
Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Splunk
 
How Rackspace Cloud Monitoring uses Cassandra
How Rackspace Cloud Monitoring uses CassandraHow Rackspace Cloud Monitoring uses Cassandra
How Rackspace Cloud Monitoring uses Cassandragdusbabek
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...tboubez
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoSplunk
 
SplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's PizzaSplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's PizzaSplunk
 
December 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopDecember 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopYahoo Developer Network
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBMongoDB
 

La actualidad más candente (20)

SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
 
Splunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk Ninjas Breakout Session
Splunk Ninjas Breakout Session
 
Splunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojo
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout Session
 
Splunk live! ninjas_break-out
Splunk live! ninjas_break-outSplunk live! ninjas_break-out
Splunk live! ninjas_break-out
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with Splunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search Dojo
 
Splunk and map_reduce
Splunk and map_reduceSplunk and map_reduce
Splunk and map_reduce
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with Splunk
 
Hunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout SessionHunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout Session
 
Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!
 
How Rackspace Cloud Monitoring uses Cassandra
How Rackspace Cloud Monitoring uses CassandraHow Rackspace Cloud Monitoring uses Cassandra
How Rackspace Cloud Monitoring uses Cassandra
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - Demo
 
SplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's PizzaSplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's Pizza
 
December 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopDecember 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over Hadoop
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
 

Destacado

Splunk Different
Splunk DifferentSplunk Different
Splunk DifferentSplunk
 
Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search Dojo Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search DojoSplunk
 
Splunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-OnSplunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-OnSplunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunk
 
Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting Splunk
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALRisi Avila
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Splunk sales presentation
Splunk sales presentationSplunk sales presentation
Splunk sales presentationjpelletier123
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaEdureka!
 

Destacado (13)

Splunk Different
Splunk DifferentSplunk Different
Splunk Different
 
Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search Dojo Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search Dojo
 
Explorando o splunk
Explorando o splunkExplorando o splunk
Explorando o splunk
 
Splunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-OnSplunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-On
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search Optimization
 
Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Introducing Splunk – The Big Data Engine
Introducing Splunk – The Big Data EngineIntroducing Splunk – The Big Data Engine
Introducing Splunk – The Big Data Engine
 
Splunk sales presentation
Splunk sales presentationSplunk sales presentation
Splunk sales presentation
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | Edureka
 

Similar a SplunkLive! Washington DC May 2013 - Splunk Security Workshop

Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionSplunk
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonKenneth Kwon
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Infrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusInfrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusMarco Pas
 
Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Tomas Doran
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkSplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkGeorg Knon
 
Beyond unit tests: Deployment and testing for Hadoop/Spark workflows
Beyond unit tests: Deployment and testing for Hadoop/Spark workflowsBeyond unit tests: Deployment and testing for Hadoop/Spark workflows
Beyond unit tests: Deployment and testing for Hadoop/Spark workflowsDataWorks Summit
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
Security Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budgetSecurity Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budgetJuan Berner
 
DockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopDockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopBrian Christner
 
Journey through high performance django application
Journey through high performance django applicationJourney through high performance django application
Journey through high performance django applicationbangaloredjangousergroup
 
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Hernan Costante
 
PSUG 1 - 2024-01-22 - Onboarding Best Practices
PSUG 1 - 2024-01-22 - Onboarding Best PracticesPSUG 1 - 2024-01-22 - Onboarding Best Practices
PSUG 1 - 2024-01-22 - Onboarding Best PracticesTomas Moser
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Demi Ben-Ari
 
Elasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalElasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalJoachim Draeger
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays
 
Monitoring at/with SUSE 2015
Monitoring at/with SUSE 2015Monitoring at/with SUSE 2015
Monitoring at/with SUSE 2015Lars Vogdt
 
Thinking DevOps in the era of the Cloud - Demi Ben-Ari
Thinking DevOps in the era of the Cloud - Demi Ben-AriThinking DevOps in the era of the Cloud - Demi Ben-Ari
Thinking DevOps in the era of the Cloud - Demi Ben-AriDemi Ben-Ari
 

Similar a SplunkLive! Washington DC May 2013 - Splunk Security Workshop (20)

Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Infrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusInfrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using Prometheus
 
Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkSplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
 
Beyond unit tests: Deployment and testing for Hadoop/Spark workflows
Beyond unit tests: Deployment and testing for Hadoop/Spark workflowsBeyond unit tests: Deployment and testing for Hadoop/Spark workflows
Beyond unit tests: Deployment and testing for Hadoop/Spark workflows
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
Security Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budgetSecurity Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budget
 
DockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopDockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging Workshop
 
Journey through high performance django application
Journey through high performance django applicationJourney through high performance django application
Journey through high performance django application
 
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
 
PSUG 1 - 2024-01-22 - Onboarding Best Practices
PSUG 1 - 2024-01-22 - Onboarding Best PracticesPSUG 1 - 2024-01-22 - Onboarding Best Practices
PSUG 1 - 2024-01-22 - Onboarding Best Practices
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"
 
Elasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalElasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ Signal
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
 
Monitoring at/with SUSE 2015
Monitoring at/with SUSE 2015Monitoring at/with SUSE 2015
Monitoring at/with SUSE 2015
 
Thinking DevOps in the era of the Cloud - Demi Ben-Ari
Thinking DevOps in the era of the Cloud - Demi Ben-AriThinking DevOps in the era of the Cloud - Demi Ben-Ari
Thinking DevOps in the era of the Cloud - Demi Ben-Ari
 

Más de Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 

Más de Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Último

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 

SplunkLive! Washington DC May 2013 - Splunk Security Workshop

  • 2. Search and Discover the Bad Guys in <= 60 Minutes
  • 3. Purpose ● Apply analytics to your data via Splunk ● Demonstrate simplicity of doing this ● Lower the barrier to entry to explore your data
  • 4.
  • 5.
  • 6. Doesn't my new hotness do that? ● Yes, no, um, well, kinda ● Sec COTS software reports on what PM wanted ● Signature-based is helpful but misses a lot ● Anomaly can work, but … ● Amazing products exists, but don't do everything ● Maybe you don't have a new hotness ● “Your network” = “Your responsibility”
  • 7. Who Am I? ● Sean Wilkerson, Partner/Consultant, Aplura
  • 8. Who Am I? ● Sean Wilkerson, Partner/Consultant, Aplura ● ~15 Years of Network --> Systems --> InfoSec ● A Decade+ of Federal Log-Management ● Half Spent Deploy/Manage FOSS/SIM/SIEM ● Half Spent Deploy/Manage FOSS/Splunk ● SANS Log Mgmt Summits ● Splunk Pro Serv Partner Since 2008 ● Splunk makes me happy
  • 9.
  • 10. Who Are You? ● You Know Splunk is Right for You ● You Know Key Splunk Concepts ● You Don't Have or Don't Want to Rely on Infosec COTS software ● You Are Analysts!! <--- Really important
  • 11. Splunk 001 ● Complex and fast search for machine data ● Concept of “fields” (key=value) ● Thousands of built-in analytic combos (Learn 5-10 and you can do almost anything)
  • 12. Splunk 101 ● Search (boolean) ● Fields (key=value with CIDR) ● Piped “|” expressions/functions ● Lookups ● The “pivot”
  • 13. Quick Disclaimer ● Data exploration could take until ... ● This pres includes many analytic elements ● Not demoed data ● Data is not seeded with gems ● sample_data came from Fed site this week ● Eventgen.py is recirculating sample_data ● Let's explore it together
  • 14. Content Available Now! Slides: aplura.com/splunklivedc BestPractice Doc: aplura.com/splunkbp ● Also: ● SplunkLiveDC 2012: aplura.com/splunklivedc2012 ● Look Before you SIM: aplura.com/lookbeforeyousim
  • 15.
  • 17. What Time do you Have? ● Concept: Time is bad everywhere and this causes havoc during investigations. Do periodic time audits (it takes minutes with Splunk). As an analyst, you can validate your time BEFORE it is too late (during an investigation). ➢ * | eval timeDiff=_indextime-_time | timechart avg(timeDiff) by sourcetype ➢ sourcetype=firewalls | eval timeDiff=_indextime-_time | timechart avg(timeDiff) by host
  • 18. Off-time Activity ● Concept: Off-time activity can indicate a suspicious system. Splunk events include special built-in fields that are “time” aware ➢ (NOT (date_wday="Sat" OR date_wday="Sun") AND (date_hour>=20 OR date_hour<7)) OR date_wday="Sat" OR date_wday="Sun" Or if you need to “create” those built-in fields ➢ * | eval date_wday=strftime(_time,"%a") | eval date_hour=strftime(_time, "%H") | search (NOT (date_wday="Sat" OR date_wday="Sun") AND (date_hour>=20 OR date_hour<7)) OR date_wday="Sat" OR date_wday="Sun"
  • 19. Activity by IP Range ● Concept: Groups of systems often have different patterns. So, analyze them by their group. ➢ dest_ip=111.109.0.0/16 | top action ➢ sourcetype=checkpoint dest_ip=111.109.0.0/16 action=allowed ➢ eventtype=network* | top action by eventtype
  • 20. Field Length Analysis ● Concept: Splunk makes analyzing the length of fields really easy. This is valuable to find malicious activity and mis-configurations ➢ | eval Length=len(_raw) | where Length>2000 ➢ len(http_referer) or len(domain) or len(uri) ...
  • 21. Field/Data Manipulation ● Concept: During analysis, you often need new fields, or need to mangle a piece of data to help with analysis. ➢ tag=firewall | eval Firewall_Host=orig | top Firewall_Host ➢ tag=firewall | rex "orig=(?<Firewall_Host>d+.d+.d+.d+)|" ➢ tag=firewall | rex ";policy_name=(?<policy_name>[^]]+)]" Use mode=sed to change fields like action or _raw ➢ tag=firewall | rex field=action mode=sed "s/reject/blocked/" | top action
  • 22.
  • 23. Date in Search ● Concept: Don't you hate having to take your hands off the keyboard to use your mouse to manipulate the Timepicker? Me too. ➢ earliest=-3h+22m latest=@h-10m ➢ earliest=-3d@d latest=-2d@d-1s
  • 25. Allows by Previous Drops ● Concept: A FW drop violates policy. Now, let's inspect “Accepts” from those “source IPs” ➢ NOT eventtype=network:all_src tag=firewall NOT action=allowed | dedup src_ip | table src_ip ➢ NOT eventtype=network:all_src tag=firewall action=allowed [search NOT eventtype=network:all_src tag=firewall NOT action=allowed | dedup src_ip | table src_ip] | top src_ip by dest_ip
  • 26. Bytes Transfer Analysis ● Concept: Whether you are looking for malware payload or data exfiltration, bytes-transferred from your firewall/webpoxy/flow is GOOD! ➢ tag=flow | stats avg(bytes_out) by src_ip,dest_port Combine with off-time and IP range for exciting results
  • 27. Port Scanning Analysis ● Concept: Not all attacks are slow and low. Use Splunk to sniff-out port scanners and add it to your watchlist for later. Port scanners ➢ tag=firewall NOT eventtype=network:all_src | stats dc(dest_port) as Port_Count by src_ip | where Port_Count>50 Host sweepers ➢ tag=firewall NOT eventtype=network:all_src | stats dc(dest_ip) as IP_Count by src_ip | where IP_Count>50
  • 29. Browsed to IP ● Concept:Bare-ip browsing isn't illegal, but it shouldn't give you warm and fuzzies. Not always bad, but combined with other indicators bare ips are suspicious. ➢ tag=proxy | regex uri_domain="http://d+.d+.d+.d+" | rare uri_domain
  • 30. Query Watchlist ● Concept: Use getwatchlist to pull any http(s)/ftp accessible delimited file into Splunk ● Tool: Getwatchlist ➢ | getwatchlist malwaredomains | outputlookup domain_watchlist.csv ➢ tag=proxy [ | inputlookup watchlist | table domain]
  • 31. Web Activity Timing ● Concept:Compare web activity by time and ... ● Tool: Geoip ➢ tag=proxy | lookup geoip clientip ➢ tag=proxy | transaction clientip maxspan=60s maxpause=40s | lookup geoip clientip | stats dc(client_country) as Count by clientip | where Count>2
  • 32. URI/URL/File/Ext Analysis ● Concept: Evaluate web activity by URI, URL, File, and extension. ➢ tag=proxy | stats dc(fileextension) as Count by clientip | sort -Count ➢ tag=proxy http_referer="-" http_user_agent="-" | stats dc(file) as Count by clientip | sort -Count
  • 33. Http User Agent Analysis ● Concept: UA strings are incredibly valuable and can be used in a variety of ways. ● Tool: uas_parser ➢ tag=proxy | lookup uas_lookup http_user_agent | search ua_type="unknown" | stats count by http_user_agent ➢ tag=proxy | lookup uas_lookup http_user_agent | top ua_family ➢ ua_type, ua_company
  • 34. Long URI no Referrer ^M ● Concept: Deep analysis of URI's with no referrer ➢ tag=proxy http_referer="-" method="GET" | strcat uri_path uri_query uri | replace *- with * in uri | eval uri_length = len(uri) | stats count by src_ip dest_ip dest_host http_referrer uri_length uri | sort ‐uri_length
  • 35. URL Length ^M ● Concept: URL/URI length can be indicative of malicious activity. ➢ tag=proxy | eval "URL Length"=len(uri) | eventstats avg(URL Length) AS "Average URL Length" stdev("URL Length") AS "Stdev URL Length" | eval Notable=tonumber('Average URL Length')+2 * tonumber('Stdev URL Length') | where 'URL Length'> Notable | table "domain" Category "URL Length" Notable "Average URL Length" "Stdev URL Length" | sort -‐"URL Length"
  • 37. DNS + Webproxy ● Concept: DNS has significance since it is frequently ignored and a popular C&C vector for bad folks. Correlate DNS and Webproxy? ➢ tag=proxy OR tag=dns [ | inputlookup watchlist | table domain]
  • 38. More Ideas ● Compare entropy ● Webproxy: Repeated errors (e.g. 404s and 500) ● Webproxy: SQL Injection discovery ● Webproxy: Unique file/uri ● Auth: Failures to “admin” accounts ● DNS: Deeply nested hosts (lots of dots) ● DNS: TXT queries ● DNS: Failed lookups ● DNS: Systems doing a lot of lookups (or failed lookups) ● DNS: End points making strange queries (successive SOA) ● DNS: Odd TLDs ● DNS: Spikes in lookups ● DNS: Reverse lookups ● DNS: Short TTLs ● DNS: Responses with non-routable IPs
  • 39. Wrap Up ● “Lower the cost of exploration” - ^M ● Easily implement/test/evaluate ● Applies common analytic logic ● Easily pivot to validate or adjust strategy
  • 40. Additional Resources ● docs.splunk.com - Manuals ● splunk-base.splunk.com - User forums ● Cheatsheet - duh! ● #CONF - User Conference
  • 41. Thanks! ^M = Monzy Merza Aplura's (Dave Shpritz and Dan Deighton) Splunk Enterprise Security Splunk Fed SEs (Mike Wilson, Scott Spencer)
  • 42. Content Available Now! Slides: aplura.com/splunklivedc BestPractice Doc: aplura.com/splunkbp ● Also: ● SplunkLiveDC 2012: aplura.com/splunklivedc2012 ● Look Before you SIM: aplura.com/lookbeforeyousim