Sunteți pe pagina 1din 258

2 0 1 6 S P LU N K I N C . CO N F I D E N T I A L .

I N
T2E0R1NA
7 SLPU
LUSE
N KO N
I NC
LY..

Splunk Enterprise Security:


The Analytics SIEM
2 0 1 7 S P LU N K I NC .

Agenda:
Course Outline
2 0 1 7 S P LU N K I NC .

Section 1: bad news/ good news Section 5: Security Domains


Section 2: Whats a SIEM? Section 6: Security Intelligence
Section 3: Security Posture Section 7: Investigative Journal
& Incident Review Section 8: Wrap-Up
Section 4: Event Investigators Section 9: Appendix
and Adaptive Response

3
2 0 1 7 S P LU N K I NC .

Section 1:
good news | bad news
2 0 1 7 S P LU N K I NC .

the anatomy of a breach


Modern APT are Essentially Attack Transactions but the attacker is trying to hide from you
2 0 1 7 S P LU N K I NC .

Gain access Create additional Conduct


Technology Transaction to system environment business

Web
Threat Data Portal
.pdf

Network Proxy log


MAIL
Access/Security C2 communication WEB
to blacklist

Events that
contain link to file

What created the How was


program/process? process started?

Endpoint
Access/Security Process making
C2 traffic

.pdf Calc.exe Svchost.exe

13
2 0 1 7 S P LU N K I NC .

First
the bad news
2 0 1 7 S P LU N K I NC .

Security Today:
2 0 1 7 S P LU N K I NC .

30% of phishing
emails get opened

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

one minute and forty


seconds to open a malicious
email upon receipt

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

one in ten users open


the attachments

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

three minutes and forty


five seconds to open an
attachment upon receipt

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

3% of users alert
management of a
possible phishing email

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

it only takes one user


to open one email to
compromise an entire
network
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

two-thirds of all breaches


are the result of weak or
stolen passwords

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

new vulnerabilities come out every day

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

99% of attacks
compromise
systems within days

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

1/3rd of breaches are


detected by a 3rd party

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

only 4% of alerts are investigated.


2 0 1 7 S P LU N K I NC .

59,476 un-investigated
tickets.
1 single incident.
40,000,000 customer
records.
2 0 1 7 S P LU N K I NC .

46% of organizations
dont even have a SOC

** 2016
2016 Verizon
Verizon breach
breach digest
digest
and no one is immune
2 0 1 7 S P LU N K I NC .

** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .

prevention starts with the SOC


2 0 1 7 S P LU N K I NC .

now, the good news


2 0 1 7 S P LU N K I NC .

3 equal parts make a mature security program

Process

Technology People
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .

lets do some maths!


2 0 1 7 S P LU N K I NC .

the average analyst handles between


14 and 28 cases in an 8 hour shift.
2 0 1 7 S P LU N K I NC .

assuming 25 cases per day.

according to Optiv
2 0 1 7 S P LU N K I NC .

assuming 25 cases per day.


20 minutes per case.
2 0 1 7 S P LU N K I NC .

assuming 25 cases per day.


20 minutes per case.
500 cases per month.
2 0 1 7 S P LU N K I NC .

assuming 25 cases per day.


20 minutes per case.
500 cases per month.
= 166 hours
2 0 1 7 S P LU N K I NC .

20 days.
2 0 1 7 S P LU N K I NC .

what if we could cut that in half?


2 0 1 7 S P LU N K I NC .

166 hours
2

= 83 hours
2 0 1 7 S P LU N K I NC .

88 hours
8

= 10 days
2 0 1 7 S P LU N K I NC .

you get 10 days back.


2 0 1 7 S P LU N K I NC .

per month.
2 0 1 7 S P LU N K I NC .

what could you do with an additional 10 days per month?


2 0 1 7 S P LU N K I NC .

up your security training?


2 0 1 7 S P LU N K I NC .

work on automating basic alerting?

up your security training?


2 0 1 7 S P LU N K I NC .

work on automating basic alerting?

up your security training?

concentrate on accuracy over speed?


2 0 1 7 S P LU N K I NC .

work on automating basic alerting?

write a haiku?
up your security training?

concentrate on accuracy over speed?


2 0 1 7 S P LU N K I NC .

more family time?

work on automating basic alerting?

write a haiku?
up your security training?

concentrate on accuracy over speed?


2 0 1 7 S P LU N K I NC .

start a fight club?


more family time?

work on automating basic alerting?

write a haiku?
up your security training?

concentrate on accuracy over speed?


2 0 1 7 S P LU N K I NC .

the possibilities are endless.


2 0 1 7 S P LU N K I NC .

theres the old way.


2 0 1 7 S P LU N K I NC .

escalate or ignore.
2 0 1 7 S P LU N K I NC .

then theres the right way.


2 0 1 7 S P LU N K I NC .

find out wtf is actually going on.


2 0 1 7 S P LU N K I NC .

lets work smarter, not harder


2 0 1 7 S P LU N K I NC .

and Ill show you how.


2 0 1 7 S P LU N K I NC .

Section 2:
Whats a SIEM?
2006 called. They want their SIEM back.
2 0 1 7 S P LU N K I NC .

Legacy SIEM

Firewall Authentication Vulnerability


Scans

Intrusion Data Loss Anti-


Detection Prevention Malware
All Machine Data is Security Relevant
2 0 1 7 S P LU N K I NC .

Threat Intelligence
Email Web Desktops Servers DHCP/ DNS CMBD

Traditional SIEM
Custom Apps Network
Hypervisor Badges Firewall Authentication Vulnerability Flows

Scans

Intrusion Data Loss Anti- Physical Transaction


Storage Mobile Malware Access Records
Detection Prevention
2 0 1 7 S P LU N K I NC .

learning objectives
Overview to Splunk Enterprise Security (ES)
Introduce notable event
How to login to ES
Introduce ES home page
Enterprise Security Overview
2 0 1 7 S P LU N K I NC .

Out of the box content in all its glory


- alerts | reports | dashboards
Captures data from all sorts of
device | systems | applications, then
smacks it up, flips it, and rubs it
down
Built on top of Splunk Core (so you
can still get down and get funky with
SPL).
Made with real bits of jaguar, so you
know its good.
Rapid 5 Year Ascension in Gartner SIEM MQ
2 0 1 7 S P LU N K I NC .

2011 2016

Leader

Niche Player
Splunk Positioned as a Leader in Security Analytics Platforms
2 0 1 7 S P LU N K I NC .

Splunk is a Leader in
The Forrester Wave:
Security Analytics
Platforms, Q1 2017*
Splunk receives highest possible
scores in 17 criteria

Report is available for redistribution:


https://www.splunk.com/goto/forrester-wave-security-analytics-platform

*The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester


and Forrester Wave are trademarks of Forrester Research, Inc. The
Forrester Wave is a graphical representation of Forrester's call on a market
and is plotted using a detailed spreadsheet with exposed scores, weightings,
and comments. Forrester does not endorse any vendor, product, or service
depicted in the Forrester Wave. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change*.
Actionable Info Through
2 0 1 7 S P LU N K I NC .

Normalization
Any Source, Type, Volume
Security Domains
Online
Services
On-the-Fly
Access
Web
On-
Premises
Services
Data Normalization
Security GPS
Servers
Location

Endpoint
Packaged
Applications
Networks
Desktops
Private Storage
Custom
Cloud Messaging Applications

Telecoms
RFID Network
Online Energy
Shopping Meters
Cart Databases
Public Web Call Detail Identity
Cloud Clickstreams Records
Smartphones
and Devices
Data Sources Required
2 0 1 7 S P LU N K I NC .

Network Endpoint Threat Intelligence Access/Identity


Data Sources Required
2 0 1 7 S P LU N K I NC .

3rd party threat data Known relay/C2 sites, infected sites, IOC,
Open source blacklist attack/campaign intent and attribution
Internal threat intelligence
Threat intelligence

Firewall, IDS, IPS Web Proxy


Who talked to whom, traffic, malware download/
DNS NetFlow
Network
delivery, C2, exfiltration, lateral movement
Email
Network

AV/IPS/FW Performance Running process, services, process owner, registry


Malware detection OS logs mods, file system changes, patching level, network
Config Management File System connections by process/service
Endpoint

Directory Services Application


Asset Mgmt. Services Access level, privileged use/escalation, system
Access/Identity Authentication Logs VPN, SSO ownership, user/system/service business criticality
2 0 1 7 S P LU N K I NC .

Single Platform for Security Intelligence

INCIDENT REAL-TIME DETECT FRAUD INSIDER


SECURITY &
INVESTIGATIONS MONITORING OF UNKNOWN DETECTION THREAT
COMPLIANCE
& FORENSICS THREATS
REPORTING KNOWN THREATS
Enterprise Security Home
2 0 1 7 S P LU N K I NC .
Enterprise Security Home (cont.)
2 0 1 7 S P LU N K I NC .

Click Security Posture to view


the Security Posture dashboard,
which provides a real-time
overview of your organization's
security posture

Click Incident Review to see the


Incident Review dashboard,
enabling you to view and work
with current notable events
Enterprise Security Home (cont.)
2 0 1 7 S P LU N K I NC .

Click Documentation to
view the Splunk App for
Enterprise Security
documentation

Click Community to
connect with other Splunk
users on Splunk Answers
2 0 1 7 S P LU N K I NC .

lab time!
lets get ready to rumble!
Enterprise Security Hands-On: Whats your Birth Month?

- If you were born January through March: https://54.227.105.231


- If you were born April through June: https://54.88.149.63
- If you were born July through September: https://184.72.210.97
- If you were born October through December: https://54.90.243.77

Username: demo Password: atlanta2017


Briefly explore the Enterprise Securitys navigation menu

1. Click Security Posture to view the Security Posture dashboard, this


dashboard provides a near real-time overview view into elements of
an organization's security posture
2. Click Incident Review to view the Incident Review dashboard, this
dashboard provides a view into recent notable events that have
occurred
3. Click Documentation to view the Enterprise Security documentation
hosted on docs.splunk.com
4. Click Community to connect with other Splunk users on
answers.splunk.com
2 0 1 7 S P LU N K I NC .

Section 2:
Dashboard Overview
2 0 1 7 S P LU N K I NC .

Learning Objectives for this Section


1. Introduce the default ES dashboards
2. Describe common dashboard
features
3. Introduce Extreme Search
4. Introduce Key Indicators
Dashboard Overview
2 0 1 7 S P LU N K I NC .

Splunk Enterprise Security


provides a range of
dashboards that form a high-
level overview of all security
threats on your system
Default Dashboards
2 0 1 7 S P LU N K I NC .

Security Posture Audit


Incident Review Search
My Investigations Configure
Glass Tables
Security Intelligence
Security Domains
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .

Common Dashboard Elements


Dashboard Filters
2 0 1 7 S P LU N K I NC .

Many dashboards have a filter bar to restrict the view on the current dashboard to
events that match the selected criteria
Dashboard Drilldowns
2 0 1 7 S P LU N K I NC .

The tables and charts that comprise an


ES dashboard presents a consolidated
view of the events
To see a detailed breakout of the
events, click a point or segment on any
chart, or a row in a table
Panel Editor
2 0 1 7 S P LU N K I NC .
Workflow Actions
2 0 1 7 S P LU N K I NC .

Enable interactions between


specified fields in your data
and other applications or
web resources

The Event Action and


Action menus contain the
relevant workflow actions, and
are available on any
dashboard that displays the
source events
Extreme Search
2 0 1 7 S P LU N K I NC .

An enhancement to the Splunk


Enterprise search language
(SPL)
As implemented in ES, you can
use the Extreme search
commands to:
Build dynamic
thresholds based upon
event data
Provide context
awareness by replacing
event counts with natural
language
Extreme Search | Example
2 0 1 7 S P LU N K I NC .

In the Malware Center dashboard, the Key Security Indicator Total Infections
displays the total number of systems with malware infections over the last 24 hours
Extreme Search
2 0 1 7 S P LU N K I NC .

The same indicator using Extreme search displays the relevant information, but
includes a depth that was not available with the prior Total Infections indicator
Key Indicators
2 0 1 7 S P LU N K I NC .

The Enterprise Security app contains a number of pre-defined key indicators,


Each is use case based:
a value indicator
a trend amount
a trend indicator
a threshold (to indicate the importance or priority of the value count)
Key indicators are populated by searches that represent an event count over time
2 0 1 7 S P LU N K I NC .

Section 3:
Security Posture &
Incident Review
2 0 1 7 S P LU N K I NC .

whats a notable event?


2 0 1 7 S P LU N K I NC .

Its a correlated alert.


Security Posture Dashboard
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
How Urgency of an Event is Assigned
2 0 1 7 S P LU N K I NC .

The severity of an event and the priority are combined to generate the urgency of an event.
The urgency allows events to be weighted according to the asset, thus causing events
against higher priority assets to be treated with higher urgency.
Incident Review Dashboard
2 0 1 7 S P LU N K I NC .

56
2 0 1 7 S P LU N K I NC .

lab time!
Start high. Get low. From Security Posture to Incident Review.
now its your turn.
add some additional KPIs to your
dashboard.
drilldown into critical urgency.
where does that take you?
explore some of the notable events in the
Incident Review dashboard.
take ownership of an alert.
now investigate.
whats your next step?
Pivot through some of the links.
Full disclosure: Some of the external links arent configured.
2 0 1 7 S P LU N K I NC .

Section 4:
Asset investigator, identity
investigator, adaptive response
Event Investigator Dashboards
2 0 1 7 S P LU N K I NC .

Visually aggregates security-related events by categories over time


using swim lanes

Each swim lane represents an event category, such as authentication,


malware, or notable events

An analyst can visually link activity across the event categories, and
form a complete view of a host or a users interactions in the
environment
2 0 1 7 S P LU N K I NC .

Asset Investigator
Asset Investigator
2 0 1 7 S P LU N K I NC .

Also available for ad-hoc searching by browsing to Event Investigator > Asset Investigator in the
main menu: An analyst uses the dashboard to triage an asset's interactions with the environment
2 0 1 7 S P LU N K I NC .

Using the Asset Investigator Dashboard

Contains multiple event categories bound to swim lanes


Multiple
Multiple swim
swim Each event category represents a data model with relevant
lanes
lanes are
are events
displayed
displayed For example, the Malware Attacks swim lane displays events
simultaneously from an anti-virus management or other malware data source
simultaneously scoped to the asset searched
to
to assist
assist the
the
analyst
analyst in
in tracking
tracking
the
the actions ofof an
an
asset
asset across
across
event
event categories
categories
2 0 1 7 S P LU N K I NC .

lab time!
lets do this together
make sure 10.11.36.20 is in your search bar.
change timeline to Last 7 days.
click one of the blue bars.
If this were an actual breach,
what shape would this be in?
2 0 1 7 S P LU N K I NC .

Identity Investigator
2 0 1 7 S P LU N K I NC .

Identity Investigator
Displays information about known or unknown user identities across a pre-defined set of
event categories, such as change analysis and malware

Initiated through a workflow action from any dashboard that displays events with network
source or destination address

Available for ad-hoc searching by browsing to Security Intelligence > User Intelligence in the
Enterprise Security app, typing in the user credential in the search bar with an optional wildcard,
setting a time range, and choosing Search
2 0 1 7 S P LU N K I NC .

lab time!
lets do this together!
Navigate to: Security Intelligence >
User Intelligence > Identity Investigator
search for user Hax0r
(yes. Im serious.)
lets switch back to the Incident Review tab.
2 0 1 7 S P LU N K I NC .

adaptive response
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .

lab time!
(that was quick.)

Adaptive Response
Adaptive Response
2 0 1 7 S P LU N K I NC .
Adaptive Response
2 0 1 7 S P LU N K I NC .
Adaptive Response
2 0 1 7 S P LU N K I NC .
your turn. peruse the response actions.
see what comes out of the box.
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .

Section 5:
Security Domains
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .

Learning Objectives for This Section


Introduce the Access Domain dashboards
Introduce the Endpoint Domain dashboards
Introduce the Network Domain dashboards
Introduce the Identity Domain dashboards
2 0 1 7 S P LU N K I NC .

Access Domain
2 0 1 7 S P LU N K I NC .

Endpoint Domain
2 0 1 7 S P LU N K I NC .

Network Domain
2 0 1 7 S P LU N K I NC .

Identity Domain
2 0 1 7 S P LU N K I NC .

lab time!
Security Domains
youre trying to track down lateral movement.
what dashboards would help identify it?
what would cause a time skew on hosts?
why is that important?
2 0 1 7 S P LU N K I NC .

Section 6:
Security Intelligence
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .

Risk Analysis
2 0 1 7 S P LU N K I NC .

companies are changing to a risk based strategy


Risk Analysis Dashboard
2 0 1 7 S P LU N K I NC .

Displays the recent


changes to risk scores
and the objects that
have the highest risk
score
You can review this
dashboard to assess
the relative change in
risk scores and
examine the events
that contributed to an
object's risk score
Risk Analysis Dashboard
2 0 1 7 S P LU N K I NC .
Use the Risk Analysis Dashboard
2 0 1 7 S P LU N K I NC .

Use to review changes to an object's risk score, determine the source of the
risk increase, and decide if additional action is warranted
2 0 1 7 S P LU N K I NC .

lab time!
is it getting risky in here?
what users are the highest risk in an organization?
2 0 1 7 S P LU N K I NC .

Protocol Intelligence
2 0 1 7 S P LU N K I NC .

Protocol Center
2 0 1 7 S P LU N K I NC .

lab time!
Whats the protocol?
2 0 1 7 S P LU N K I NC .

DNS Activity
2 0 1 7 S P LU N K I NC .

DNS Search
2 0 1 7 S P LU N K I NC .

SSL Activity
2 0 1 7 S P LU N K I NC .

Email Activity
2 0 1 7 S P LU N K I NC .

Email Search
2 0 1 7 S P LU N K I NC .

Threat Intelligence
2 0 1 7 S P LU N K I NC .

Threat Activity Dashboard


Threat Intelligence | Threat Activity Dashboard
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .

Threat Artifacts Dashboard


2 0 1 7 S P LU N K I NC .

lab time!
are you threatening me?
2 0 1 7 S P LU N K I NC .

User Intelligence
2 0 1 7 S P LU N K I NC .

Access Anomalies
2 0 1 7 S P LU N K I NC .

User Activity
2 0 1 7 S P LU N K I NC .

Web Intelligence
2 0 1 7 S P LU N K I NC .

HTTP User Agent Analysis


HTTP User Agent Analysis Dashboard
2 0 1 7 S P LU N K I NC .

Use to investigate long user agent


strings in your proxy data and
determine if there is a possible
threat to your environment
A bad user agent string,
where the browser name
misspelled (ex. Mozila) or
the version number is
completely wrong (ex.
v666), can indicate an
attacker or threat
2 0 1 7 S P LU N K I NC .

*note: SANS has a fantastic User Agent Analysis


paper you should check out.

https://www.sans.org/reading-room/whitepapers/malicious/user-agent-field-analyzing-detecting-abnormal-malicious-organization-33874
2 0 1 7 S P LU N K I NC .

Traffic Size Analysis


2 0 1 7 S P LU N K I NC .

URL Length Analysis


URL Length Analysis Dashboard
2 0 1 7 S P LU N K I NC .

Looks at any proxy or


HTTP data that includes
URL string information
Any traffic data
containing URL
string or path
information --
firewall, router,
switch, or network
flows -- can be
summarized and
viewed in this
dashboard
what legitimate sites might have an
extremely long URL?
2 0 1 7 S P LU N K I NC .

HTTP Category Analysis


HTTP Category Analysis Dashboard
2 0 1 7 S P LU N K I NC .

Looks at categories of traffic data


Any traffic data -- firewall,
router, switch, or network flows --
can be summarized and viewed
in this dashboard

For info on Websense:


http://www.websense.com/con
tent/support/library/web/v7
6/siem/siem.pdf
2 0 1 7 S P LU N K I NC .

New Domain Analysis


2 0 1 7 S P LU N K I NC .

lab time!
well thats new
Under New Domain Analysis, find a
list of machines that went to that
URL, and the activity taken.
2 0 1 7 S P LU N K I NC .

lab time!
security intelligence
the average breach lasts (roughly) 240 days.
where would you look to identify a breach
happening on day one?
2 0 1 7 S P LU N K I NC .

Section 7:
Investigative Journal
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .

lab time!
security intelligence
its your turn!
- create an investigation.
- add some notable events.
- add some notes to describe the activity.
2 0 1 7 S P LU N K I NC .

Section 8:
Wrap-Up
2 0 1 7 S P LU N K I NC .

Splunk Quick Starts for Security Investigation

Infrastructure Quick Start Apps / Add-Ons Endpoint Quick Start Apps / Add-Ons
2 0 1 7 S P LU N K I NC .

continuing education
Splunk Tutorial (The Free eLearning Module):
Search Tutorial Manual:
Splunkbook.com
Splunk Education Videos:
2 0 1 7 S P LU N K I NC .

to action
2 0 1 7 S P LU N K I NC .

.conf2017
The 8th Annual Splunk Conference

SEPT 25-28, 2017


Walter E. Washington Convention Center
Washington, D.C.

SAVE OVER $450


You will receive an email after registration
opens with a link to save over $450 on the
full conference rate.
Youll have 30 days to take advantage of this
special promotional rate!

conf.splunk.com
Thank you for your time!

We do appreciate it.
2 0 1 7 S P LU N K I NC .

Section 9:
Appendix
2 0 1 7 S P LU N K I NC .

Manual Notable Event


Creation
Manual Notable Event Creation
2 0 1 7 S P LU N K I NC .

A new notable event can be created from an event you are viewing in the Access Search,
Malware Search, Traffic Search, Intrusion Search, Proxy Search, or Search dashboards

Create a new notable event from an existing event shown as part of a search result or by using New
Notable Event in the Configure panel

A non-administrator role, such as an ES analyst, needs to have an administrator grant additional


permissions to the role, in order to manually create and edit a new notable event

Note: Do not create a new notable event from an existing notable event
For instance, do not create a new notable event from an event shown on the Incident
Review dashboard
Create a Notable Event from Existing Event
2 0 1 7 S P LU N K I NC .

To create a new notable event


from an event in the Malware
Search dashboard:
1. Finalize the search in the
Malware Search
dashboard
2. Select "Create notable
event" from the Options
menu for the event
A notable event is
created using parameters of the
selected event
2 0 1 7 S P LU N K I NC .

Notable Event Suppression


Notable Event Suppressions
2 0 1 7 S P LU N K I NC .

A search filter that hides any notable events matching the search conditions
The suppression filter is created to stop an excessive or unwanted number of notable
events from being displayed on the Incident Review dashboard
Example | you may want to prevent certain types of notable events from appearing on
the Incident Review dashboard or contributing to defined alert thresholds

Suppression is applied to events that are already in the notable index


A suppression filter hides notable events so they will not be seen

Throttling is applied to events before they are added to the notable index preventing
them from being created
Create a Suppression From Incident Review
2 0 1 7 S P LU N K I NC .

1. Find the notable event that you want to suppress in the Incident Review dashboard
2. From the Actions select: Suppress events to/from... which opens the New Notable
Event Suppression page
3. Review the contents of the fields
4. An Expiration Time field is available to define a time limit for the suppression filter and save
the changes
5. After the time limit is met, the suppression filter is disabled
6. To review the suppression filter, browse to Configure > Incident Management > Notable
Event Suppressions
Review Notable Event Suppressions
2 0 1 7 S P LU N K I NC .

To review the suppression filter, browse to Configure > Incident Management > Notable Event Suppressions
Create a Suppression from Configure
2 0 1 7 S P LU N K I NC .

1. Browse to Configure > Incident Management > Notable Event Suppressions


2. Click on New to create a new notable event suppression
3. Set the Name and Description used for the suppression filter
4. Populate the Search field with the search that finds the events to suppress
5. Set the Expiration Time (defines a time limit for the suppression filter)
6. If the time limit is met, the suppression filter is disabled
2 0 1 7 S P LU N K I NC .

Edit Notable Event Suppressions

1. Browse to Configure > Incident Management > Notable Event Suppressions


2. Selecting a notable event suppression opens the Edit Notable Event Suppression page
3. Edit the Description and Search fields used for the suppression filter
2 0 1 7 S P LU N K I NC .

Disable Notable Event Suppressions

1. Browse to Configure > Incident Management > Notable Event Suppressions


2. Select Disable in the Status column for the notable event suppression
Remove a Notable Event Suppression
2 0 1 7 S P LU N K I NC .

1. Browse to Settings > Event types


2. Search for the the suppression event: notable_suppression-<suppression_name>
3. Select delete in the Actions column for the notable event suppression
Suppression Activity Audit
2 0 1 7 S P LU N K I NC .

Enterprise Security tracks all suppression activity for auditing on the Suppression Audit dashboard
2 0 1 7 S P LU N K I NC .

Predictive Analytics
2 0 1 7 S P LU N K I NC .

Learning Objectives for This Section


- Introduce predictive analysis functionality
- How to create query
- How to turn query into correlated search
2 0 1 7 S P LU N K I NC .

Predictive Analytics Dashboard

Used to search for different varieties of


anomalous events in your data
Leverages the predictive analysis
functionality in Splunk to provide statistical
information about the results, and identify
outliers in your data
Filters are implemented in a series from
left to right
Example: Object filter is populated based
on the Data Model selection
Predictive Analytics Dashboard
2 0 1 7 S P LU N K I NC .

To analyze data, choose a data model, an object, a function, an attribute, and a time range and click Search
Dashboard Filters
2 0 1 7 S P LU N K I NC .

Filter by Description Action

Data Model Specifies the data model for the search. Available data models are shown Drop-down: select to filter by
in the drop-down list.

Object Specifies the object within the data model for the search. There must be a Drop-down: select to filter in
Data Model selection to apply an Object.

Function Specifies the function within the object for the search. Functions specify Drop-down: select to filter in
the type of analysis to perform on the search results. For example, choose
"avg" to analyze the average of search results. Choose "dc" to create a
distinct count of the results.

Attribute Specifies the constraint attributes within the object for the search. Drop-down: select to filter in
Attributes are constraints on the search results. For example, choose
"src" to look at results from sources. There must be a Object selection to
apply an Attribute.

Time Range Select the time range to represent. Drop-down: select to filter by
Use the available
Advanced dashboard
Access to filtersoptions.
the advanced predict to refine the results displayed Link:
on the dashboard
A window of optional panels
predict settings
Dashboard Panels
2 0 1 7 S P LU N K I NC .

Panel Description

Prediction Over Time The Prediction Over Time panel shows a predictive
analysis of the results over time, based on the time
range you chose. The shaded area shows results that
fall within two standard deviations of the mean value of
the total search results.

Outliers The Outliers panel shows those results that fall outside
of two standard deviations of the search results.

For more info on data models, associated objects, functions, and attributes visit the following link:
docs.splunk.com/Documentation/CIM/latest/User/Overview
2 0 1 7 S P LU N K I NC .

Correlation Search Builder


2 0 1 7 S P LU N K I NC .

The flow.
2 0 1 7 S P LU N K I NC .

1. Search for authentication source events from an application


2. Count the number of failures by user
3. If the count of authentication failures is >6 for a selected
time period, then execute an Adaptive Response action
2 0 1 7 S P LU N K I NC .

What data sources will answer the question?


2 0 1 7 S P LU N K I NC .

1. In this case, we are focused on authentication data, so the


Authentication data model will expose the underlying data
relevant to our analytic
2. Note that although a deep dive on data models in Splunk is
outside the scope of this workshop, it is beneficial to
understand what Splunk data models are and how they relate
to Splunk Enterprise Security
3. More information on data models in Splunk is available at
the link below:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutdatamodels
2 0 1 7 S P LU N K I NC .

so lets make one.


2 0 1 7 S P LU N K I NC .

Create a Correlation Search

1. To access this functionality, you will


need to have additional capabilities
added to your role by the Splunk
Administrator
2. From this dashboard, create a
correlation search based on the
search parameters for your current
predictive analytics search
This correlation search will create
an alert when the correlation
search returns an event
3. Click Save as Correlation Search...
to open the Create Correlation Search
dialog
2 0 1 7 S P LU N K I NC .

Create a Correlation Search (continued)

4. Select the Security domain and


Severity for the notable event created
by this search

5. Add a search name and search


description then click Save

6. To view and edit correlation searches,


go to Configure > General >
Custom Searches
Notify an Analyst
2 0 1 7 S P LU N K I NC .

A correlation search is available to notify an analyst if a notable event has not been triaged
1. Under General > Custom Searches, search for the Untriaged Notable Events
correlation search
2. Modify the search, changing the notable event owner or status fields as desired
3. Set the desired alert action
4. Save the changes
5. Enable the Untriaged Notable Events correlation search
2 0 1 7 S P LU N K I NC .

lab time!
correlation rule creation!
Add Filter Screenshot
2 0 1 7 S P LU N K I NC .

Risk Scoring
Example Scenario
Risk Scoring | Example Scenario
2 0 1 7 S P LU N K I NC .

In aggregate, this behavior seems


less interesting then if the same
behavior occurred on the
production DNS server

It's tempting to ignore or suppress


notable events coming from any
host that's a known jump server due
to the relative noise created

You need to know the host is being


monitored, but would prefer it was
measured under a different set of
rules
Risk Scoring | Example Scenario
2 0 1 7 S P LU N K I NC .

The host RLOG-10 is a jump server


that is generating several notable
events:
The correlation searches
Excessive Failed Logins, and
Default Account Activity
Detected are creating one notable
event a day for that system

As RLOG-10 is a jump server,


there are many network
credentials being used against this
host, and software or other utilities
may have been installed
Risk Scoring | Example Solution
2 0 1 7 S P LU N K I NC .

One solution is a new correlation


search that assigns a risk modifier
when the correlation matches on
hosts that serve as jump servers:
1. Use a whitelist to isolate the
jump servers from the
existing correlation searches
2. Create and schedule a new
correlation search based on
Excessive Failed Logins,
but isolate the search to the
jump server hosts and assign
a risk modifier alert type
only
Risk Scoring | Example Solution (cont.)
2 0 1 7 S P LU N K I NC .

3. Verify the risk modifiers are


applied to the jump server
hosts, raising their risk
score incrementally
With the new correlation
search, no notable
events will be created
for those hosts based
upon failed logins
Risk Scoring | Example Solution Summary
2 0 1 7 S P LU N K I NC .

As the relative risk score goes up, RLOG-10 can be compared to all network servers
and to other jump servers:
If the relative risk score for RLOG-10 exceeds its peers, that host would be
investigated by an analyst
If the risk scores of all jump servers are higher relative to other network hosts, an
internal security policy may need to be reviewed or implemented differently

For a deeper dive:


http://blogs.splunk.com/2014/08/12/risk-analysis-with-enterprise-security-3-1/
Additional Content:
2 0 1 7 S P LU N K I NC .

- Splunk Tutorial (The Free eLearning Module):


- Search Tutorial Manual:
- Splunkbook.com
- Splunk Education Videos: