Professional Documents
Culture Documents
How To Detect Threats With Splunk
How To Detect Threats With Splunk
Ali Ahangari
SOC Analyst
SOORIN Co-Founder
Telegram: @hypersec
Website: Soorinsec.ir
Topics
• Introduction To Splunk
فناوری راه نو سورین
Soorinsec.ir • Splunk as a Threat Detection Platform
• Threat Detection Requirements
• Threat Detection and Analysis Techniques
• Basic Search
• Frequency Analysis
• Volumetric Analysis
• Event Correlation
• Subsearch/Joing
• Grouping
• Lookup
Introduction To Splunk
• Splunk is a software platform to search, analyze and visualize the
فناوری راه نو سورین
machine-generated data gathered from the websites, applications,
Soorinsec.ir sensors, devices etc. which make up your IT infrastructure and
business.
Introduction To Splunk
Data Pipeline
Splunk as a Threat Detection Platform
Threat Detection Threat Detection
فناوری راه نو سورین and Monitoring and Monitoring
Without Apps With Apps
Soorinsec.ir
• Enterprise Security
Query • UBA
Commercial
(SPL)
• Predefined
Dashboards and
Free Tunning Rules
Threat Detection Requirements
Threat
Threat
Analysis
Knowledge
Techniques
Threat Analysis Techniques
Event
Correlation
Volumetric • Subsearch/Join
Analysis • Grouping
Frequency • Lookup
Analysis
Basic Search
Threat Analysis Techniques
• Search IoCs
Index=<Index Name (If you know it)> <IP>
Index=<Index Name (If you know it)> <Hash>
Index=<Index Name (If you know it)> <URL>
Threat Analysis Techniques
• Subsearch/Join
• Grouping
• Lookup
Threat Analysis Techniques
Join: Use the join command to combine the results of a subsearch with the results
of a main search. One or more of the fields must be common to each result set.
• Correlate Destination IPs in your events with Blacklist IPs in an External CSV File