Everyone wants to encrypt everything, and we should. But paying for certificates can get a bit expensive. With is where Let’s Encrypt comes in to play. Let’s Encrypt allows you to create a SSL certificate for FREE! You read that correct. Free as in beer. They event have an automated script to help configure your server. Link below for the Splunk Blog with a how-to set this up.
I recently read the Splunk blog Spotting the Adversary… with Splunk. If you have a Windows based infrastructure, this is a great article to read as well as the referenced material. In the article, it talks about having to go through millions of events to even try to find the adversary and the struggles that it causes. The blog post is great because it even gives you a sample dashboard you can drop in to your environment, assuming you have the GPOs setup and that you have the Windows Infrastructure app installed. Lucky for me as I did have those setup.
The blog post is based off of a document from the NSA’s IA team. It is a great read. At 54 pages, it isn’t the usual long drawn out government paper. They even have screen shots of the options you need to make sure to change.
I found the dashboard was overall very good. I did notice a few things not lining up correctly. For example, EventCode 43 is listed under USB Activity and I am seeing the logs for Definition Update for Microsoft Endpoint Protection. But the dashboard did break things down to where I was able to go through different menus and find things I might not have known without going through and digging in to the logs.
Watch this demonstration of the Splunk Enterprise Security’s incident review framework to learn how you can detect, analyze and respond to security incidents and threats. The demo highlights benefits of using Asset Investigator, Risk and other key concepts in the context of investigating and managing overall Incident Response in SIEM workflows.
Watch this demonstration of the Splunk Enterprise Threat Intelligence capability and gain the ability to quickly detect and investigate threats using Threat Intelligence. Splunk Enterprise Security’s Threat Intelligence framework helps organizations to aggregate, prioritize and manage wide varieties of threat intelligence from threat lists such as STIX/TAXII, Open Source and many more.
Watch this demonstration of Splunk Enterprise Security to learn the key capabilities of Splunk Enterprise Security and how to use it to solve key security challenges. Splunk Enterprise Security helps security practitioners detect, investigate and respond to internal and external attacks by simplifying threat management while minimizing risk to safeguard your business.
After posting about the SPLing Bee back in November, I have got around to trying it out myself. After working out a few bugs, shout out to Charlie Huggard for the help, I have the SPLing Bee ready for download.
If the Splunk indexer you are using to play/judge is publicly available, you can have the contestants use Splunk Cloud trial to spin up machines to play. If your indexer is on a private network, you will need to spin up a Splunk indexer/heavy forwarder to be able to play. The contestant will need a full instance of Splunk and not a universal forwarder as they will need to index data, run searches against the data, and add a Splunk application to the indexer.
Things to do when setting up the game.
Make sure that the indexer isn’t setup to use port 9997. The SPLing Bee app will setup a TCP input to listen to port 9997.
Update the text Round 1 of the dashboard with the correct instructions for the contest and where to send the data.
Make sure there are machines available for the contestants or have the main indexer publicly facing so they can use a Splunk Cloud trial.
It’s best to have everyone use cloud trial instances and install the app + index the sample dataset you want to use. The IP address will be different using the cloud instances whereas if people are using their local instances you may see the same IP come in when trying to judge.
Thank you to the Nonprofit Hub in Lincoln for allowing us to take over the area. Thank you to Tony Reinke from National Research Corporation, John Foss of Splunk, and Bret Brasfield of Continuum for your presentations. There was a lot of good discussion on Enterprise Security and we were very happy that Kanad Sharma from Splunk Professional Services was there and able to share his experiences.
Thank you to everyone that joined us for our developer focused meeting. Thank you to Nimble Storage for providing the food. Thank you to Continuum for providing the drinks. And thank you to National Research for hosting the event. It was great to learn more about writing code for Splunk. Below you will find the PDF of both Tony Reinke of National Research and Brian Knopp of Nimble Storage’s presentations.
Recently a call for papers has gone out for the 2015 Splunk Conference. Got a great success story? Made a killer app? They will accept submissions via the Call for Papers until April 28th, and begin announcing accepted sessions on May 28, 2015.