Scribd
Upload
354 views4 pages

Building Correlation Searches With Splunk Enterprise Security Takeaway

Uploaded by

shahbaz ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
354 views4 pages

Building Correlation Searches With Splunk Enterprise Security Takeaway

Uploaded by

shahbaz ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Building Correlation Searches with Splunk Enterprise Security

Thank you for attending our Building Correlation Searches with Splunk Enterprise Security
workshop. We hope you found it helpful. Below are links referenced during the workshop as
well as some other helpful links to use.

Apps Referenced

Building Correlation Searches with Enterprise Security companion app -


https://splunkbase.splunk.com/app/4849/
Enterprise Security Content Update - https://splunkbase.splunk.com/app/3449/
Splunk Security Essentials – https://splunkbase.splunk.com/app/3435/
Common Information Model - https://splunkbase.splunk.com/app/1621/
Add-on Builder - https://splunkbase.splunk.com/app/2962/

Search Foundations

Search Reference -
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual

How Splunk Stores Indexes -


https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/HowSplunkstoresindexes

Conf13 Talk: Understanding Splunk’s Acceleration Technologies -


http://conf.splunk.com/session/2013/WN69801_WhatsNew_Splunk_DavidMarquardt_Underst
andingSplunkAccelerationTechnologies.pdf

Conf17 Talk: Searching Fast: How To Start using tstats and Other Acceleration Techniques -
https://conf.splunk.com/files/2017/slides/searching-fast-how-to-start-using-tstats-and-other-
acceleration-techniques.pdf

Common Information Model / Data Models

CIM Documentation - http://docs.splunk.com/Documentation/CIM/latest/User/Overview

The Power of Data Normalization - https://conf.splunk.com/files/2017/slides/the-power-of-


data-normalization-a-look-at-cim-under-the-hood.pdf

Data Model Reference Tables -


https://docs.splunk.com/Documentation/CIM/latest/User/Howtousethesereferencetables

Palo Alto Networks TA Documentation Example -


https://splunk.paloaltonetworks.com/installation.html

© 2020 Splunk 1
Cisco ASA TA Documentation Example -
https://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Description

Zeek/Bro TA Documentation Example -


https://docs.splunk.com/Documentation/AddOns/released/BroIDS/Description

Add-on Builder -
https://docs.splunk.com/Documentation/AddonBuilder/latest/UserGuide/UseTheApp

Zeek/Bro Sourcetype to Data Model Mapping -


https://docs.splunk.com/Documentation/AddOns/released/BroIDS/DataTypes

Data Model to ES Dashboard Mapping -


https://docs.splunk.com/Documentation/ES/latest/Admin/Dashboardrequirements

Distributed Installation of Technical Add-On Example -


https://docs.splunk.com/Documentation/AddOns/released/BroIDS/Distributeddeployment

Normalizing Data at Search Time Using CIM -


https://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtonormalizedataatsearch
time

About Data Models -


https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutdatamodels

Accelerating Your Data Models

Conf17 Talk: Searching Fast: How To Start using tstats and Other Acceleration Techniques -
https://conf.splunk.com/files/2017/slides/searching-fast-how-to-start-using-tstats-and-other-
acceleration-techniques.pdf

Data Model Reference Tables -


https://docs.splunk.com/Documentation/CIM/latest/User/Howtousethesereferencetables

tstats command -
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats

Building Correlation Searches

Splexicon - https://docs.splunk.com/Splexicon

Network Traffic Data Model Reference -


https://docs.splunk.com/Documentation/CIM/latest/User/NetworkTraffic

© 2020 Splunk 2
Sigma Detection for Exercises #4-6 -
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_n
tdsutil.yml

Configuring Correlation Searches

Conf18 Talk: Enterprise Security Health Check -


https://static.rainfocus.com/splunk/splunkconf18/sess/1523486400518001xr40/finalPDF/SEC1
570_EnterpriseSecurityHealthCheck_Final_1538510388118001Sv0Y.pdf

Sigma Detection for Exercise #7 -


https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_s
chtask_creation.yml

Building Notable Events

Conf19 Talk: Enterprise Security Biology III: Dissecting the Incident Management Framework -
https://conf.splunk.com/files/2019/slides/SEC1544.pdf

MITRE ATT&CK

MITRE ATT&CK - https://attack.mitre.org/

Sigma Detection for Exercise #11 -


https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_s
chtask_creation.yml

Scheduled Task Technique - https://attack.mitre.org/techniques/T1053/

Sources of Content

Sigma Detection Project - https://github.com/Neo23x0/sigma/

Top SIEM Use Cases (Derbycon 2016) - https://github.com/jivoi/ids_and_siem/tree/master/pdf

Use Case Library -


https://docs.splunk.com/Documentation/ES/latest/Admin/Usecasecontentlibrary

Additional Resources

Tutorial – Create a Correlation Search -


https://docs.splunk.com/Documentation/ES/latest/Tutorials/CorrelationSearch

© 2020 Splunk 3
Incident Management/Notable Event Framework - http://dev.splunk.com/view/enterprise-
security/SP-CAAAFA9

Enhancing Incident Review - http://www.georgestarcher.com/splunk-enterprise-security-


enhancing-incident-review/

Modifying the Incident Review Page - https://www.splunk.com/blog/2019/02/15/modifying-


the-incident-review-page.html

ATT&CK-ing the Adversary: Episode 3 – Operationalizing -


https://www.splunk.com/en_us/blog/security/att-ck-ing-the-adversary-episode-3-
operationalizing-att-ck-with-splunk.html

Optional Exercises

Sigma Detection for Optional Exercise #1 -


https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_
whoami.yml

Sigma Detection for Optional Exercise #2 -


https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_ps
exec.yml

Sigma Detection for Optional Exercise #3 -


https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_d
etection_lsass.yml

Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T


'Th'+'em' - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-
1492186586.pdf

© 2020 Splunk 4

You might also like