Scribd Logo
Upload

Welcome to Scribd!

  • How To Detect Threats With Splunk

    Uploaded by

    harshaml
    37 views15 pages
    This document discusses using Splunk as a threat detection platform. It introduces Splunk and its components, and then discusses requirements and techniques for threat detection and analysis using Splunk, including basic search, frequency analysis, volumetric analysis, and event correlation techniques like subsearch/joining, grouping, and lookup.

    Original Description:

    Original Title

    How to Detect Threats with Splunk

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses using Splunk as a threat detection platform. It introduces Splunk and its components, and then discusses requirements and techniques for threat detection and analysis using Splunk, including basic search, frequency analysis, volumetric analysis, and event correlation techniques like subsearch/joining, grouping, and lookup.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    37 views15 pages

    How To Detect Threats With Splunk

    Uploaded by

    harshaml
    This document discusses using Splunk as a threat detection platform. It introduces Splunk and its components, and then discusses requirements and techniques for threat detection and analysis using Splunk, including basic search, frequency analysis, volumetric analysis, and event correlation techniques like subsearch/joining, grouping, and lookup.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 15

    ‫فناوری راه نو سورین‬

    How To Detect Threats With


    Soorinsec.ir

    Ali Ahangari
    SOC Analyst
    SOORIN Co-Founder
    Telegram: @hypersec
    Website: Soorinsec.ir
    Topics
    • Introduction To Splunk
    ‫فناوری راه نو سورین‬
    Soorinsec.ir • Splunk as a Threat Detection Platform
    • Threat Detection Requirements
    • Threat Detection and Analysis Techniques
    • Basic Search
    • Frequency Analysis
    • Volumetric Analysis
    • Event Correlation
    • Subsearch/Joing
    • Grouping
    • Lookup
    Introduction To Splunk
    • Splunk is a software platform to search, analyze and visualize the
    ‫فناوری راه نو سورین‬
    machine-generated data gathered from the websites, applications,
    Soorinsec.ir sensors, devices etc. which make up your IT infrastructure and
    business.
    Introduction To Splunk

    ‫فناوری راه نو سورین‬


    Soorinsec.ir Components

    Data Pipeline
    Splunk as a Threat Detection Platform
    Threat Detection Threat Detection
    ‫فناوری راه نو سورین‬ and Monitoring and Monitoring
    Without Apps With Apps
    Soorinsec.ir
    • Enterprise Security
    Query • UBA
    Commercial
    (SPL)

    • Predefined
    Dashboards and
    Free Tunning Rules
    Threat Detection Requirements

    ‫فناوری راه نو سورین‬


    Soorinsec.ir
    Event Data Threat
    Technology
    Knowledge Intelligence

    Threat
    Threat
    Analysis
    Knowledge
    Techniques
    Threat Analysis Techniques

    ‫فناوری راه نو سورین‬


    Soorinsec.ir

    Event
    Correlation
    Volumetric • Subsearch/Join
    Analysis • Grouping
    Frequency • Lookup
    Analysis
    Basic Search
    Threat Analysis Techniques

    ‫فناوری راه نو سورین‬ • Basic (Simple) Search


    Soorinsec.ir
    This is the simplest method of hunting. Searching primarily means querying
    data for specific artifacts using a finely defined search criteria.

    Search Specific as Possible

    • Search IoCs
    Index=<Index Name (If you know it)> <IP>
    Index=<Index Name (If you know it)> <Hash>
    Index=<Index Name (If you know it)> <URL>
    Threat Analysis Techniques

    ‫فناوری راه نو سورین‬ • Frequency Analysis (Stack Counting)


    Soorinsec.ir
    Frequency analysis examines frequency of an occurrence
    • Number of Connections Per Source/Destination
    • Number of Failed or Success Logins
    • Long Tail Analysis of Some Important Fields

    | stats count by <Subjects>


    | top/rare <subject>
    Threat Analysis Techniques

    ‫فناوری راه نو سورین‬ • Volumetric Analysis


    Soorinsec.ir
    Volumetric analysis is about How Much and How Many questions. This type of
    hunting looks at the volume of a particular data set.

    • How much data did endpoints send out of the network?

    • How much data did endpoints received from outside?

    • Which systems have had the longest sessions?

    | timechart function(Some Filed) by <Subject>


    Threat Analysis Techniques

    ‫فناوری راه نو سورین‬ • Event Correlation


    Soorinsec.ir
    Event correlation is a technique that relates various events to identifiable patterns.

    There are multiple ways for event correlation within Splunk

    • Subsearch/Join

    • Grouping

    • Lookup
    Threat Analysis Techniques

    ‫فناوری راه نو سورین‬ • Event Correlation – Subsearch / Join


    Soorinsec.ir
    Subsearch: A subsearch is a search that is used to narrow down the set of events
    that you search on. The result of the subsearch is then used as an argument to the
    primary, or outer, search.

    Join: Use the join command to combine the results of a subsearch with the results
    of a main search. One or more of the fields must be common to each result set.

    • User Agents You Haven’t Seen Before

    • Connections that Bypassed Firewall


    Threat Analysis Techniques

    ‫فناوری راه نو سورین‬ • Event Correlation - Grouping Analysis


    Soorinsec.ir
    Grouping focuses on a handful of specific characteristics. Using grouping as a
    technique can enable teams to identify adversaries’ tools or techniques.

    • Group user activities on Windows based on logon id

    • Group events based on Firewall Actions

    | transaction <Common Field> <Conditions>


    Threat Analysis Techniques

    ‫فناوری راه نو سورین‬ • Event Correlation - lookup


    Soorinsec.ir
    Splunk has the capability to correlate with data that is external to Splunk using the
    lookup command. The most basic use for this is when you have some fields that
    are in your Splunk event that need to correlate to fields in an external CSV file

    • Correlate Destination IPs in your events with Blacklist IPs in an External CSV File

    Main search [| inputlookup <External CSV File>]


    ‫فناوری راه نو سورین‬
    Soorinsec.ir Thanks

    You might also like