Tag: SIEM

Making Use of Building Block Rules in Elastic
Making Use of Building Block Rules in Elastic

Within the “Advanced Options” of the “About Rule” section of Elastic hides a useful feature that gets little attention. This feature makes the rule generate alerts that are ‘hidden’ from the alerts view. This can be powerful. Here are some ideas to get you started! Threshold Rules Create some rules that look for distinct behaviors […]

Read More
Fields Aren’t Always Faster, Keyword Searches to Speed Up Splunk
Fields Aren’t Always Faster, Keyword Searches to Speed Up Splunk

When possible, use datamodels, they are generally your best bet for speed. However, not everything in your Splunk will be in a datamodel, and you may require a good-old-fashioned index based search. This may come as a surprise, as it is counter intuitive but often using a token in an index based search will absolutely […]

Read More
Making Use of Fillnull and Values() to Increase Rule Resiliency in Splunk
Making Use of Fillnull and Values() to Increase Rule Resiliency in Splunk

Within splunk we use “stats” and “tstats” a bunch as threat hunters. However, these useful operations can cause interesting events to be dropped unexpectedly. For instance: index=windows sourcetype=*winevent* AND EventCode=4688 AND NewProcessName=*Evil.exe| stats count by ComputerName, ParentProcessName, NewProcessName, CommandLine CommandLine is a field in 4688 events that needs to be enabled via “group policy”. So, […]

Read More
Creating Macros for Code Reuse in Splunk
Creating Macros for Code Reuse in Splunk

When you find yourself constantly reusing certain strings of Splunk commands, it can be a lot easier to represent those commands as a single line of code that can accept positional arguments and serve the same functions as a set of commands you find yourself using often. This is the purpose of a Splunk macro […]

Read More
Extracting fields in SPL
Extracting fields in SPL

Sometimes when working with new log sources or unfamiliar event records being shipped to Splunk, you’ll encounter logs with important details that could be more useful if you had them captured in a field. The entirety of the text in an event can be found in the _raw field but specific details found in the […]

Read More
Elastic Flattened Fields Explained
Elastic Flattened Fields Explained

Elastic has many “Field Types”. Flattened is a type that allows you to search subfields. Typically for cyber security analysts subfields appear in cloud logs, especially requests and responses, where the person who built the parser needed it to be future-proofed against the ever changing cloud. For instance, if we had the following JSON in […]

Read More
Splunk: How to Make Lookup Based on Wildcards
Splunk: How to Make Lookup Based on Wildcards

1) Add to transforms.conf stanza: 2) Create field_from_sourcetype.csv file with wildcards and put it to lookups folder: As result – field_name will be populated based on list with wildcards:

Read More
Splunk: How to Output Nested json as One Field
Splunk: How to Output Nested json as One Field

Often, especially when providing context to analysts who are responsible for triaging alerts, it is useful to provide all of the context that a cloud provider nests in a big json blob as just a single field. You can use the splunk operation “spath” to accomplish this goal. Note: if you have trouble manipulating the […]

Read More
AI SIEM Migration: Simplify, Optimize, Innovate
AI SIEM Migration: Simplify, Optimize, Innovate

Breaking Down Complexities for Smooth Adoption of Your Next-Scale SIEM According to Gartner, “cloud is the enabler of digital business”, which drives mission-critical organizations to consider cloud adoption and migration. SIEM migration to the cloud facilitates addressing common IT constraints, like slow time to value, limited resources, and incompatible systems. However, it is not a […]

Read More
Okta & Splunk Integration Guide
Okta & Splunk Integration Guide

In today’s world of rapidly evolving technologies, organizations are facing two huge challenges “how to handle” and “how to protect a vast amount of data.” This is where Splunk comes in handy. This SIEM helps businesses collect, analyze, and monitor log files. It has become a necessity now as it gives credible information to companies. […]

Read More