Using Splunk Enterprise Security

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 1
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Document Usage Guidelines
• Should be used only for enrolled students
• Not meant to be a self-paced document, an instructor is needed
• Do not distribute

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution May 25, 2022
Using Splunk Enterprise Security
turn data into doing™ 2
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Foundational Knowledge
• To be successful, students should have a solid understanding
of the following courses:
– What is Splunk?
– Intro to Splunk
– Using Fields
– Visualizations
– Search Under the Hood
– Introduction to Knowledge Objects
– Introduction to Dashboards

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 3
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Course Goals
• Use Splunk Enterprise Security (ES) to detect and identify security-
related threats
• Create investigations to determine root causes of malicious or
anomalous events
• Discover previously unknown types of potential threats

Important!
All labs must be completed for
course credit

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 4
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Course Outline
Module 1: Introduction to ES Module 6: Security Domain Dashboards
Module 2: Security Monitoring & Module 7: User Intelligence
Incident Investigation Module 8: Web Intelligence
Module 3: Risk-Based Alerting Module 9: Threat Intelligence
Module 4: Assets & Identities Module 10: Protocol Intelligence
Module 5: Investigations

Appendix A: Reports, Dashboards, Data Models, and ES Content Updates

Appendix B: Event Sequence Engine
Appendix C: Interfacing with Splunk Intelligence Management (TrueSTAR)
Appendix D: Cloud Security Dashboards

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 5
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 1:
Introduction to
Enterprise Security

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 6
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Explain how Splunk Enterprise Security (ES) helps security
practitioners prevent, detect, and respond to threats
• Give an overview of the features and capabilities of ES
• Describe data models, correlation searches, and notable events
• Define ES user roles
• Explain Splunk Web access to Splunk for Enterprise Security

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 7
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Overview of Splunk Enterprise Security
• Built on the Splunk Operational Intelligence platform
– ES is a Splunk app, installed on a Splunk server

• Leverages Splunk's powerful search capabilities

• Provides tools for security practitioners to detect and respond to
security threats and incidents
• Efficiently manage, analyze, and mitigate security breaches
• Highly customizable for your specific enterprise requirements
• Real-time, scalable, context-aware, focused on content
• Makes all data — not just your “security data”— relevant to
your security effort
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 8
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 ES Functional Areas

Preventive Analysis

Perimeter Defense Breach Response

Traffic analysis Audit

Vulnerability alerts
Statistical analysis Investigation journaling
Unexpected processes
Prohibited traffic Anomaly detection Incident tracking

Threat activity Pattern matching Forensics tools

Known threats Asset & identity management
Risk framework
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 9
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES Use Cases
• Malware protection
Note
– Detection Refer to the Splunk Enterprise
Security Use Cases documentation
– Use DNS data to identify “Patient Zero” for a detailed list.

– Zero-day investigations

• Insider threat
– Dataexfiltration
– Suspicious privileged account activity

• User Behavior
– Track threatening user behavior
– Classify accounts based on privileged access
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 10
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES Detecting APTs
• Enterprise Security can help detect and prevent malicious cyber
attacks like Advanced Persistent Threats (APTs)
• An APT is a growing, global threat aimed at undetected insertion,
long-term viability, extraction/delivery of valuable information
– Focused attack on specific systems like Equifax (130 million people),
Petya, Wannacry
– Targets: business, government, individuals
– Many delivery methods
– Metamorphic/polymorphic coding
– Constantly changing and adapting
https://www.splunk.com/blog/2015/06/17/opm-apt-and-the-need-for-personalized-threat-intelligence.html
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 11
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 APT Attack - Example
Delivery Exploita0on & Installa0on Command & Control Accomplish Mission

Threat 1
intelligence

2 MAIL WEB
Download from WEB FW
Network infected site 7
Activity/Security 8
Email 6

3
Host
Activity/Security 4 5

Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc.
Auth - User Roles,
Corp Context Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 12
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
The Kill Chain
Attackers use the kill chain methodology to devise and implement
their attacks, but defenders can also use the kill chain to counter
and those prevent attacks
Stage Attacker Activity ES Countermeasures
Delivery Email, website malware, social Threat lists, vulnerability scanning, real-time
engineering, etc. monitoring, access monitoring
Exploitation / Installation Open attachment, download from Protocol Intelligence, file system alerts, intrusion
site, upload from memory stick, etc. detection, port monitoring
Command and Control Execute code, open/copy files, Malware tracking, process alerts, change alerts,
change configuration, etc. analytics
Accomplish mission Upload payload to remote server, Traffic alerts, network analysis, audits
disable services, etc.

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 13
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Who Uses ES?
Security
Security Analysts Exec/Managers

Security Auditors
SOC Staff

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 14
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
How ES Works
ES Searches for Threats
Raw Events are and Anomalies
Indexed Data is available for ES
ES creates notable events
Data is generated, | tstats queries and
which are stored in
forwarded, and indexed dashboards can now use
summary indexes and are
into Splunk the data
searchable by data models

Data Model Summary ES Background Searches

Searches Run (content) Process Data
CIM DM normalization is Correlation Searches, trackers,
applied, CIM DM and threat intelligence search
key/value pairs are data models
stored in DM TSIDX

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 15
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
How ES Works (cont.)
• Security-related data is acquired by add-ons
in your enterprise from servers, routers, etc.
– This data is forwarded to Splunk indexers and
stored as events
• ES runs searches (real-time or scheduled) for
indicators of threats, vulnerabilities, or attacks
– Ifa search discovers something that needs
attention, ES displays it on one or more of its
dashboards
– You can then investigate the issue, track it,
analyze it, and take the appropriate action
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 16
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES Data Flow
• Security-related data is acquired by add-ons in your enterprise from
servers, routers, firewalls, and other network appliances
– This data is forwarded to Splunk indexers and stored as events

Vulnerability Scanners
(port scanning, testing
Firewalls/Proxies Intrusion Detection System
vulnerabilities)
• cisco-pix (packet sniffing)
• mcafee
• pa-networks • snort
• nessus
• juniper-networks • dragon-ids
• bluecoat • mcafee

Production Servers
(any operating system)
Network Capture
(Stream) • microsoft-av
• stream:tcp • linux-secure
• stream:udp • windows:*
• stream:http Splunk ES • access-combined
(events, data models)
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 17
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Data Models
• Data models normalize data
• Data models provide a more
meaningful representation of
unstructured raw data
• ES depends heavily on
accelerated data models
• Accelerated data models provide a “speedup” factor
• Use | tstats searches with summariesonly = true to search
accelerated data

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 18
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES Dashboards and Data Models
• How does raw security data become available to ES dashboards?
1. Splunk or a custom add-on indexes and sourcetypes the raw data
2. Events are mapped and normalized to Splunk Common Information
Model (CIM) data models
3. Events are referenced by the accelerated CIM data models

• Most ES correlation searches, dashboards, and reports use the

accelerated data models
• You can create your own custom searches based on the events in
your index(es) or associated with your accelerated data models

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 19
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
tstats Search Example

• Use | tstats to create reports based on accelerated data models

– Use | tstats summariesonly=t to restrict results to accelerated data
for performance improvement
• Use Search > Datasets to build datasets using ES data models
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 20
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES and The KV Store
• The KV Store stores data as key-value pairs in collections on the
search head
– Collections are containers for data, similar to a database table
– Collections exist within the context of a given app, like SA-
IdentityManagement or SA-ThreatIntelligence
– Provides a way to manage and maintain the state of the app

• ES utilizes the KV Store to: Important!

ES relies on the KV Store.
– track workflow of notable events Never disable the KV Store!

– store incident review status changes and comments

– manage lookups, like assets & identities and threat intel collections
(inputlookup / outputlookup)
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 21
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Correlation Searches
• Correlation Searches run continually in the background
looking for known types of threats and vulnerabilities
– There are a number of built-in correlation searches in ES, and more in
the Use Case Library. You can also create your own searches
• When a correlation search detects any Indicators of Compromise (IOC),
ES creates an alert called a notable event
• When a notable event is assigned to an analyst it is referred to as an
incident
• ES enables you to track, update, and resolve incidents
– Security Posture dashboard provides a cross-domain SOC overview
– Incident Review dashboard is used to inspect and manage incidents
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 22
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Notable Events
• Correlation searches create notable events in the notable index
–A notable event might indicate a breach, vulnerability, or other issue
• Notable events are created with fields, event types, and tags that
provide information necessary for incident investigation and a link
to the original source event(s)
• You can search for the notable events in the notable index
– InES, select Search > Search to run a manual search
– Run a search like index=notable for a given time period to see the
notable events
– Event source field shows the correlation search that created the
notable event
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 23
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Assets and Identities
• Notable event urgency is based on the priority of the
assets and identities in your environment
– Assets: devices in your enterprise, like routers and servers
ê Identified by IP address or MAC address
– Identities are people in your enterprise
ê Identified by username, email address, etc.
• Both are managed in the KV Store with lookup tables
– ES can show a meaningful name and descriptive information
for a server or person instead of an IP address or user ID

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 24
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Beyond Notable Events
• ES provides many advanced tools which can be used to examine
security data in detail, such as:
– Risk and threat analysis
– Web and user intelligence
– Protocol (stream) intelligence
– Other adaptive responses (send email, run script, etc.)

• These tools assist analysts to:

– Perform forensic investigation of existing breaches
– Analyze the environment for new threats
– Examine the history of old breaches, understand how they happened
and prevent them in the future
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 25
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES Roles
ES Roles (required for ES login)

ES User ES Analyst ES Admin

ess_user ess_analyst ess_admin
Configures ES system-
Runs real-time searches Owns notable events
wide, including adding
and views all ES and performs notable
ES users, managing
dashboards event status changes
correlation searches, and
adding new data sources

User Power Admin

Standard Splunk Roles

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 26
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Accessing ES
• Access Splunk Web using a URL similar to:
https://eshostname:8000

• To access ES a user must have an

assigned ES role on the ES server
(ess_admin, ess_analyst, ess_user)

• Once logged on, ES displays in the list of

apps on the Splunk home page

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 27
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
The ES Home Page
ES Menus

Security Posture: monitor status Incident Review: work on issues

Documentation site
Configuration tools

Community support Product tutorial

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 28
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 1 Lab: Introduction to ES
• Time: 15 minutes
• Tasks:
– Log into your Splunk classroom server, configure your user
account, and navigate to the ES home page
– Examine the source events ES is using to monitor the security
environment and notable events

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 29
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 2:
Security Monitoring and
Incident Investigation

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 30
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Use the Security Posture dashboard to monitor ES status
• Use the Executive Summary dashboards to view security
operations at high level
• Use the Incident Review dashboard to analyze notable events
• Take ownership of a notable event and move it through the
incident workflow
• Create notable events
• Suppress notable events

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 31
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Monitoring and Response
• ES continually runs correlation searches for known threats, vulnerabilities,
authentication patterns, malware, or suspicious network traffic
– There are over 60 built-in correlation searches, and more with the
Enterprise Security Content Update (ESCU) app installed
– Or you can create your own
• When a correlation search detects any Indicators of Compromise (IOC), ES
creates an adaptive response one of which is a notable event or incident
• ES enables you to track, update, and resolve incidents
– Security Posture dashboard provides a cross-domain SOC overview
– Executive Summary dashboards to evaluate security trends
– Incident Review dashboard to inspect and manage incidents
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 32
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
The Security Posture Dashboard
• An overview of your
Enterprise Security
status
• Key Indicators (KI)
at the top provide an
at-a-glance view of
notable event status
over the last 24 hours
• The four panels
provide additional summary information categorized by urgency, time,
and top notable event types and sources

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 33
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Key Indicators (KI)

Edit key indicators

Large number = total number of notable events in that category Trend of events indicator: red for
increase green for decrease
Black = no threshold set
Red = over threshold Total increase or decrease over the past
Green = under threshold 48 hours (from previous 24-hr period to
last 24-hr period)

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 34
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 KI Drilldown to Incident Review
1
From the Security
Posture dashboard,
click a KI total value

2
The details for the
KI opens in Incident
Review

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 35
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Security Posture Panels

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 36
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Notable Event Urgency
• Each notable event has an Urgency field, ranging from
Unknown to Critical
• Urgency is a combination of
two factors:
– Severity
• Based on the severity added to
the notable event by the
correlation search
– Priority
• Assigned to the associated assets or identities—i.e., the server or user
• If more than one asset or identity is involved in a single notable event, the
one with the highest priority determines the urgency
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 37
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Urgency Table
• How urgency values are calculated in notable events by default
• Can be overwritten by modifying asset/identity priority and rank,
correlation search syntax, or Urgency Levels lookup
Event Severity

Informational Unknown Low Medium High Critical

Asset/Identity Priority

Unknown Informational Low Low Low Medium High

Low Informational Low Low Low Medium High
Medium Informational Low Low Medium High Critical
High Informational Medium Medium Medium High Critical
Critical Informational Medium Medium High Critical Critical
Asset/Identity Priority + Event Severity = Urgency
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 38
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Drilldown Support
Hover over an item to
preview details about its
underlying notable events

1
Click an item to open the related notable
events in the Incident Review dashboard

2
From the Incident Review dashboard:
a. Drilldown into notables’ details
b. Take ownership
c. Work the issue
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 39
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Incident Review Dashboard
Use charts, filters, and search to
focus on specific notable events
Hide the donut
charts or filters

Expand for Add event(s) to an investigation

details Actions
Notable Events menu

Investigation bar
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 40
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Incident Review Filter Fields

• Saved filters: any filters created and saved on the IR dashboard

• Search: Splunk search language expressions
• Tag: tags configured for key/value pairs
• Urgency: Informational, Low, Medium, High, Critical, Unknown
• Status: New, In Progress, Pending, Resolved, Closed
– Along with Owner, is used to track the status of an incident
• Owner: user assigned to investigate and resolve an incident
• Security Domain: Access, Endpoint, Identity, Network, Threat, Audit
• Type: Notable or Risk Notables
• Search Type: The title of a correlation search or configured sequence template
• Time or Associations: time range, short ID or Running Template
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 41
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Using the Incident Review Dashboard

• Search supports full SPL and wildcard search

• Adding one or more values per field, values are ORed together
• Urgency values can be toggled on and off
– Gray values are “off” and will not be searched
• If values are set for more than one field, the fields are ANDed together
• Status, Owner, Security Domain and Tag support multiple OR values
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 42
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Notable Event Details

Expand Notable event

the Actions menu
notable
event for
details
Fields for the
notable event, Field Action
with Action menus
menus for
each field

Note
You cannot expand an event until the
search is complete. Not all incidents
have all the same detail items.
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 43
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Create a Short ID from Event Details
Scroll to the bottom of the details for a notable event to see the
Event Details section and create a Short ID for the event

1
Click Create Short ID for ES to automatically
generate a short ID that makes it easier to
find and share a notable event

2
The Short ID replaces
the Create Short ID link

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 44
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Create a Short ID: Notable Event Actions
1
From the notable event Actions drop-
down, creating a Short ID is possible
using Share Notable Event

2
In addition to creating a Short ID, it enables sharing the event via a link:
• Click the Bookmark button to copy the link for sharing
or
• Click and drag the Bookmark button to your Bookmarks bar to save the link

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 45
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Search for a Short ID or Investigation

1
Select Associations from the Time or
Associations menu, and Short ID from
the Associations menu 2
Click inside the filter field and
enter all or part of a Short ID
(drop-down appears and filters as you type)
Or
Click and scroll to the Short ID

Note
You can search for one or
multiple Short IDs.
3
Click Submit
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 46
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Field Action Menu
• Each notable event field has an
Action menu allowing you to:
– Investigate the asset, set tags
or search Google. Depending
on the field type other options
may be available
• Risk scores for systems or
users are displayed next to
fields
– Click a risk score to open the
Risk Analysis dashboard for
Note
that asset or identity
Scroll the menu to make sure you
see all the available field actions.
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 47
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Notable Event Actions Menu
• Each notable event has an Actions menu with options related to
the event, such as:
– Adding the event to an investigation
– Suppressing the notable event
– Sharing the notable event with others
– Initiating further adaptive response actions

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 48
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Incident Workflow: Concepts
1. Assign an owner
Analysts are responsible for
2. Examine the incident changing workflow status values
as they work incidents
3. Implement corrective measures

ES Admins can define, add new status values and assign values to
different roles, so the statuses in your environment may differ
New - not yet being worked
In Progress - analysis underway Note
Pending - various: work in progress, awaiting action, etc. When a notable is assigned an owner, it is
tracked as an incident in the KV Store.
Resolved - fixed, awaiting verification
Closed - fix verified

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 49
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Incident Workflow: Procedures
As needed, add
2
Click Edit selected event(s) to an
Selected investigation. It will
appear under Related
Investigations in the
1 event details 3
Select one or Set Status, Urgency, Owner,
more events and Disposition. Optionally,
add a Comment

4
Click Save changes
As needed, click the + icon on the
Investigation Bar to view an investigation,
add a new one, or click the spy glass to
perform a quick search

Investigation Bar
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 50
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Incident Review History

1
Select View all review activity for this Tip
Notable Event to open a new
The `incident_review` macro can
search showing all “review” events
for the current issue be used in custom searches and
reports for incident status tracking by
directly accessing the KV Store

2 The results show the reviewer,

urgency, status, and owner
changes for the event throughout
the review process

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 51
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Notable Event Adaptive Response
• Notable events may contain
further adaptive responses
that an analyst can initiate
(ping, nslookup, change risk,
run script, etc.)

• Depending on the type of

notable event, different
actions are available Adaptive Responses: Previously
executed actions
• Use Actions > Run Adaptive
Response Actions to trigger
an action Next Steps: If configured in the
correlation search, suggested
actions to trigger next
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 52
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Triggering Actions
Actions > Run Adaptive Response Actions
• Choose from a list of
actions to run

• This list is configured

by your ES admin Enter some, or all the action
name to filter
(list filters as you type)

• You may see different

options depending on
availability and
permissions
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 53
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Ping Example
As you investigate, you may need to see if the affected server is up
3
Host Field (event field with the host to
ping (i.e., dest, src, etc.)

2
4
Max Results: number of results for
the ping returns (default is 1)

Index and Worker Set are optional

Note
6 Find your action in the notable
If there is an investigation selected in the
event’s list of Adaptive Responses
Investigation Bar, Adaptive Responses will
and click Ping to view the results
display an Action column with the option to add
the response to the current investigation.
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 54
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Threat Intel Example
Similarly, you can add threat artifacts to a threat collection
(needs to be configured by your admin first)

Threat Group to attribute this artifact to

1 (i.e. iblocklist_logmein (threatlist))

Threat Collection to
2
add the threat artifact
to (i.e. ip_intel)

Field from event: a field in the

event containing the
information (i.e.dest)

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 55
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Send to UBA Example
Automatically send correlation
search results to Splunk User
Behavior Analytics (UBA)
Category in UBA

Severity sets the score

in UBA for the notable
1 event (optional)

Note
UBA must be installed on the ES
search head for this Response
Action to be available.

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 56
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Adaptive Response Action Center

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 57
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Tagging Incidents
• Associate significant incidents with tags
– Example: quickly find all incidents
related to servers infected with
malware

• Add a tag to each server using Action >

Edit Tags for the dest, src or ip field
(for this example)
• Search for tag “Infected” using the Tag
filter on Incident Review
• Now only notable events with this tag Important!
value will display Tags are case sensitive.

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 58
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Creating and Suppressing Notable Events
• Manual creation: useful when you have source event data that has
not (yet) been identified by ES as suspicious, and you want to
create a notable event that will identify the issue and allow you to
track it
• Suppression: useful if you are getting false positives from a host
or a user, and you want to exclude future notable events from that
host or user
• ES Analysts do not have permission to perform these actions
– AnES Admin must give the ess_analyst and ess_user roles the
Edit Notable Event Suppressions permission

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 59
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Creating Notable Events
• Create ad-hoc notable events
– For instance: if you find an event in
Splunk that has not triggered a
correlation search's parameters,
but you feel it should be
investigated
• Steps:
1. Run a search on the source events
2. Expand an event and select
Event Actions
3. Select Create notable event
4. Enter the desired data for the
notable event and click Save
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 60
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Suppressing Notable Events
Suppress notable events
that are false positives, like
a server that has been
temporarily misconfigured

From Incident Review:

1. Click the notable event's
Actions drop-down
2. Select Suppress Notable Events
3. Give the suppression a name
Note
4. Set description and dates The end date is optional. If left blank, all
future notable events from the dest field
5. Click Save AND signature are suppressed.
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 61
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Managing Notable Event Suppressions
• View, edit, and create suppressions
Important
• Select a suppression Label to edit Users with the ess_analyst or
ess_user role must be given the
• Enable or disable a suppression Edit Notable Event Suppressions
permission to perform these tasks.

Configure > Incident Management > Notable Event Suppressions

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 62
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
The Executive Summary Dashboards
• Select Executive Summary or SOC Operations dashboards
• Provides summary of data over several time range options
• Action menus allow for search and refresh

Time Range

Action Menu

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 63
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Key Metrics Section
• Available in Executive Summary and SOC Operations dashboards
• Mean Time to Triage: time between when a notable was detected, and
any action done on that notable
• Mean Time to Resolution: time between when a notable was detected
and when its status changed to end status
• Investigations Created: number of investigations created over time period

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 64
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Notables Section

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 65
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Notables Section (cont.)

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 66
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Risk Section
• Shows the number of regular notables versus risk notables over time
• Displays number of risk events that generated risk notables versus risk
events that did not generate risk notables over time
• Lists risk event sources not contributing to any risk notables

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 67
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Additional Metrics Section
• Displays number of adaptive response actions fired in the
system over time
• Shows how many enabled sources have risk actions versus
notable actions over time
• Displays distribution of correlation searches enabled versus
disabled over time

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 68
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Workload Section
• Displays assigned versus unassigned notables over time
• Shows notables assigned versus notables resolved over time
• Presents assigned open versus closed notables by analyst over time

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 69
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Dispositions Section

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 70
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Audit > Incident Review Audit
• Overview of Incident
Review activity
• Volume of incidents
reviewed and by whom
• Incident aging over last
48 hours, by status and
by reviewer
• Statistics on triage time
and closure time

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 71
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 2 Lab: Monitoring & Investigating
Time: 30 minutes
Description: An expired user account has been detected
attempting to log on to high priority resources
Tasks:
– Use the Security Posture dashboard
– Continue researching unauthorized network access
– Begin working the issue
– Test workstation status
– Remove the false positives from the list of incidents
– Resolve your incident
– Suppress notable events

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 72
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 3:
Risk-Based Alerting

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 73
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Give an overview of Risk-Based Alerting
• View Risk Notables and risk information on the Incident Review
dashboard
• Explain risk scores and how to change an object’s risk score
• Review the Risk Analysis dashboard
• Describe annotations

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 74
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk Overview
• A risk score is a single metric that shows the relative risk of an object
(system, user, or other) in the network over time
• Risk is increased by the adaptive response associated with the
correlation search
• ES Admins can configure an object’s risk value manually or by editing
the correlation search
– Edit the Risk Analysis Response Action in a correlation search to modify the
risk score that is assigned to an object
• How is risk different from priority, severity, or urgency?
– You can see cumulative risk caused by multiple events over time
– You can fine-tune the way you interpret threats or vulnerabilities
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 75
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk Overview (cont.)
For example: a Risk Factor can
• ES Admins can configure an object’s add 5 to the risk score of any
identity with a user_category of
risk value: “contractor”
– by editing the Risk Analysis Response
Action in a correlation search
– by creating a Risk Factor under
Content Management
• Risk Factors specify conditions to
dynamically adjust risk scores to
specific objects
• ES Admins and ES Analysts can add
ad-hoc risk scores for objects from
the Risk Analysis dashboard
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 76
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk Activity Examples
• User risk
– An employee who begins moving files to a local workstation and
emailing attachments to external sites
– A contractor who begins logging on from many different
geographically remote systems throughout the organization
• Asset risk
–A restricted system (like a point-of-sale station) begins running new
processes
– A server shows connections to known malicious sites on the internet

• Correlation searches can detect these events and add to the

objects’ risk score automatically
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 77
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Why Risk-Based Alerting?
• Address alert fatigue!
• Improve detection of sophisticated threats like low-and-slow attacks that
traditional SIEMs miss
• Seamlessly align to cyber security frameworks like MITRE ATT&CK, Kill
Chain, CIS 20, and NIST
• Scale analyst resources to optimize SOC productivity and efficiency

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 78
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk Framework

Create risk rules (Risk Analysis Enrich risk attributions by A risk incident rule (risk
adaptive response action) to appending relevant context correlation search) creates a
create risk attributions for entities like a risk score or a MITRE risk notable when an entity’s
when something suspicious ATT&CK technique risk score or behavioral
happens. Instead of triggering an pattern meets the
alert, risk attributions are sent to predetermined threshold in
the risk index the correlation search
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 79
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Risk Rules
• The Risk Analysis
adaptive response
action, if configured in a
correlation search, is
considered a Risk Rule

• A Risk Rule feeds

results (risk attributions)
into the risk index

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 80
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk Correlation Searches
• Risk Incident Rules are the “risk” correlation searches that run
against the risk index
• Risk Incident Rules create “Risk Notables”
• There are two out-of-the-box Risk Incident Rules
– ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 days
• Creates a notable when the number of MITRE attacks exceeds 3 over
the last 7 days
– Risk Threshold Exceeded for Object Over 24 Hour Period
• Creates a notable when the risk score for an object exceeds 100 over
the last 24 hours
• Custom riskGenerated
incident rules can be created
for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 81
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk-Based Alerting Example
“Risk attributions” (risk score changes) along
the timeline are put into the risk index

Risk Incident Rule creates a

Use Incident Review to Risk Notable due to the risk score
view the Risk Notable of the user exceeding 100 over a
24-hour period

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 82
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk Notables
Filter Incident Review to
show only Risk Notables

Fields display risk information for

risk objects

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 83
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk Notable Details

Click Risk Events to

view the details

Click an individual event

for the details

Expand for
details
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 84
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk Analysis Example
A priority firewall server is attacked periodically over time
1. A few attacks are expected, but as they accumulate over weeks, the
risk score for that server increases
2. If other low priority events are also accumulating for that server, like
minor vulnerabilities and low-grade anomalous network activity, they
also contribute to the risk score for the server
3. If the risk for that server increases more than other servers due to
this continuing activity, you can be alerted and investigate
These types of issues are difficult to detect without this cumulative
approach

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 85
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Risk Analysis Dashboard
Security Intelligence > Risk Analysis

Timeline of most active

risk-increasing events

Object and risk score Risk scores by correlation search

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 86
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Ad-hoc Risk Entry
• ES Analysts can perform a
one-time ad-hoc risk
adjustment for an object
• Useful to change an
Risk Message: a description of
object’s risk based on your the adjustment

own investigation
• The risk value you enter is Risk Score: positive or negative

added to (or subtracted Risk object: object name (user or system)

from) the object’s overall

risk score
Risk Object Type: use other
for an unspecified object
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 87
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Ad-hoc Risk Entry – Threat Objects
• Threat objects can also
be added to an ad-hoc
Threat Object: a threat object that
risk adjustment poses a threat to the environment,
including a command or a script that
• Correlate threat objects you must run

with risk events to

make adjustments to
the risk score Threat Object Type: type of threat
object like script or file_hash

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 88
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Ad-hoc Risk Entry - Annotations
• Also available on the
Create Ad-hoc Risk Entry
window is the ability to add Enter annotation attributes or choose
MITRE ATT&CK annotations from
annotations the included list

• Use annotations to enrich

correlation search results
with the context from
industry-standard
mappings Create a custom
annotation
• Used as field labels in the
Risk Analysis dashboard
Save the ad-hoc entry

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 89
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Annotations
ES includes the following annotations for common security
frameworks, or you can create custom annotations

Example industry-standard mappings:

Security
Mapping Examples
Framework
CIS 20 CIS 3, CIS 9, CIS 11, CIS 7, CIS 12
Kill Chain Reconnaissance, Actions on Objectives, Exploitation, Delivery, Lateral Movement
MITRE ATT&CK T1015, T1138, T1084, T1068, T1085
Also contains MITRE technique IDs from the mitre_attack_lookup lookup definition

NIST PR.IP, PR.PT, PR.AC, PR.DS, DE.AE

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 90
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
View Annotation Details

Hover over an annotation to view

the risk modifier count or risk score

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 91
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 3 Lab: Risk-Based Alerting
Time: 25 minutes
Description: Examine risk-based information and high-risk assets or
users in your environment
Tasks:
– Review the risk-based information for a risk notable
– Examine user risk information
– Manually adjust a risk score

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 92
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 4:
Assets & Identities

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 93
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Give an overview of the ES Assets and Identities framework
• Show examples where asset or identity data is missing from ES
dashboards or notable events
• View the Asset & Identity Management Interface
• View the contents of an asset or identity lookup table

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 94
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Assets & Identities Overview
Asset and identity configuration
enhances the information available
for users and systems in notable
events and ES dashboards

ES admins add the enhanced data

for assets and identities to ES in
lookup tables Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 95
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Missing Data Example 1
If enhanced data is not included in the Assets & Identities configuration
for a user or system, notable event and dashboard data is still available
for the object, though the additional information is not provided
For example, objects may show as “not
known” in the Asset or Identity Investigator

Important!
If you are expecting to see enhanced
data for a particular object, double
check the configuration in the Assets
& Identities Management interface.
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 96
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Missing Data Example 2
Unknown objects in the Investigators shows a problem with Asset
and Identity configuration

Dashboards or dashboard panels may be

empty if the Asset & Identity lookups are
not configured, mis-configured or disabled

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 97
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Asset & Identity Management Interface
Asset and identity lookups and settings are configured in
Configure > Data Enrichment > Asset and Identity Management

Important!
Default ess_analyst view. Users must have
the edit_modinput_identity_manager
capability to make changes in the A&I
Management interface.

Lookup name and status

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 98
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
View Asset & Identity Lookups
• View the contents of a lookup table using | inputlookup
For Example: | inputlookup demo_identities.csv
| inputlookup demo_assets.csv

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 99
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Identity Center & Asset Center Dashboards
View the contents of the asset or identity configuration added to ES
in the Identity Center or Asset Center dashboard
Security Domains > Identity > Identity Center

Lookup columns and information

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 100
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 5:
Investigations

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 101
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Use investigations to manage incident response activity
• Use the Investigation Workbench to manage, visualize and
coordinate incident investigations
• Add various items to investigations (notes, action history,
collaborators, events, assets, identities, files and URLs)
• Use investigation timelines, lists, and summaries to document and
review breach analysis and mitigation efforts

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 102
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Investigations
An investigation is a collection of activities and notes related to work
done on a specific issue, such as a breach

Example: customers are reporting unauthorized use of their account numbers

(from your store). Start an investigation and begin researching the issue:
1. Examine notable events related to the payment processing system and add
them to an investigation
2. Add relevant artifacts (i.e., assets and identities) and explore them within the
Investigation Workbench – this will help identify other identities involved
3. Add collaborators with expertise in a specific field
4. Run ad-hoc searches and add the results to the timeline
5. Add Action History items, such as a “source” or “non-notable event”
6. Add notes detailing actions taken to mitigate the breach
7. Modify the investigation status. Helpful for analysts in the future, especially if you
solved the problem! Note
By default, only ess_admin and
ess_analyst have permission to
start investigations.
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 103
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Investigations Dashboard
Lists all investigations

Filter for a specific

investigation Start a new investigation

Click an investigation to open it

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 104
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Investigation Workbench

Time range
Tabs

1
Select
Artifact(s)

2 Expand panel view

Click Explore to display
selected artifacts in the
workbench Note
Workbench will be blank until you
select artifact(s) and click Explore.
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 105
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Tabs & Panels

Context Panels Endpoint Data Panels Network Data Panels Risk Panels
• Risk Scores • File System Changes • Web Activity • Risk Scores
• IDS Alerts • Registry Activity • Email Data • Recent Risk Modifiers
• Notable Events • Process Activity • Network Traffic Data • MITRE ATT&CK
Techniques
• System Vulnerabilities • Service Activity • DNS Data
• MITRE ATT&CK
• Latest OS Updates • User Account Changes • Certificate Activity tactics
• Computer Inventory • Port Activity • Network Session Data
• Authentication Data
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 106
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Add a Tab to the Investigation
• Add other tabs to the investigation
– For example, add the Authentication tab
Content > Add single tab > Select a tab > Authentication
ê Imports cloud-authentication-
related notable events into the
investigation
ê Displays authentication related
data relevant to the investigation

• The tabs do not persist, you must

add them each time you view the
investigation Click Save

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 107
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Add Artifacts to an Investigation
• Artifacts are assets or identities you may add to an investigation to
determine whether they are involved in the overall incident
• There are several ways to add an artifact to an investigation
– From a notable event (set up by an admin)
ê Actions > Add Event to Investigation
– Manually
ê Add Artifact button
ê Add Artifact icon on the Investigation Bar
– From a workbench panel (select any item)
– From an investigation event (Timeline View > Details > click a value)

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 108
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Add Artifacts Manually
1. Click Add Artifact button or click
2. Select Add artifact or Add multiple artifacts and enter the artifact(s)
(all artifacts added must be the same type: assets or identities)
3. Select either Asset or Identity artifact
4. To separate multiple artifacts, click New Line or use a comma
5. Optionally, add a Description and Label(s) (separate labels with
<Enter> or <,>)
6. Optionally, Expand artifact (seeks correlated items from lookups)
7. Click Add to Scope

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 109
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Add Artifacts within the Investigation

1
When exploring, click a 2
value to add it as an artifact Enter details and click
Add to Scope

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 110
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Add Items to an Investigation
It is important to add items to investigations to document the purpose of
the steps you have taken to research the issue and to provide any details
that may be useful to your team’s future investigation work. You can add
several types of entries:
• Notes • Action History items:
- Dashboards viewed
• Search strings - Notable Event Updated
• Notable or source events - Notable Event Suppression Updated
- Panel Filtered
- Search Run
Enable Add Quick Add Action
Livefeed Artifact Search Notes History

Investigation Bar
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 111
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Adding a Note

1
Enter a title 2
2 Modify time as
Click to add a note needed
default = now

Note
If you create a standard note, and do 3
Enter comments
not check the Show on Timeline box,
the note will show under Notes as a
“draft” note.

4
Add attachments (text or
1
Click to view notes binary format). 4MB max per 5
file and are stored in KV Store.

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 112
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Adding an Action History Item
4
2 Filter search
Select type 3 as needed
Modify time
as needed

5
Select items
6

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 113
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Adding a Search String (Quick Search)
• Perform a search from the Investigation Bar and add the string to an
investigation 1

Click and drag to resize

the search window.
Double click to toggle full
screen to minimized 2 3
Enter search criteria

• Analyst can run the

saved search to
view the results 4
Determine whether the
while investigating results are useful to the
investigation

5
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 114
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Adding Events
There are several ways to add events to an investigation

Add notable events

from Incident Review

or
or
Add source events from
a search result

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 115
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Enabling Notable Event Livefeed
• Get a visual notification when a notable event occurs for assets or
identities included in the investigation
– Select an investigation, click the bell icon, and toggle Enable Notification
– Bell icon turns orange within five minutes of the next occurrence Enable
Livefeed

Review events and use the plus sign (+)

to add events to the investigation

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 116
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Adding Collaborators to an Investigation
1
Click + to add a
collaborator
3
Click a collaborator initial to remove
or change write permissions 2
Search and/or click a
username to add as a
collaborator

4 Select whether they have “write

permission” and click Done

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 117
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Updating Investigation Status
• When you open an
1
investigation, the
status is New
• Investigations can
only be deleted by
admins
2
• Analysts can delete Edit the Title, Status, and
Description of the investigation

investigation entries

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 118
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Investigation Summary View

Expand for details

Examine the correlation search that

created the notable event

Click to open the event in Incident Review

Click to examine the

source notable event

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 119
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Timeline: Slide View

Filter by Type: Action History, Adaptive Response Action,

Search String, Notable Event, Note, Splunk Event Edit, delete, or open
in Incident Review

Scroll left Scroll right

(newer) (older)

Click an item to view its

details in upper panel

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 120
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Timeline Details View to Add Artifacts
1
Click Details for a detailed view of all fields and values

Add Artifacts view opens

and auto-populates

2
Click an item to add
it as an artifact

3 Enter a type,
description and
label as needed

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 121
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Timeline: List View
From Timeline, change
view to List View
Use the Action menu to
delete selected entries

View
details
Edit or delete entries or open in
Incident Review

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 122
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Edit Investigation Entry
1

Click Action and select Edit Entry

to change the title of the entry

2
Enter new title and Save

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 123
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Investigation Bar and Inline Timeline View
Select an investigation from the
list or click + to add a new one

Toggle the
Investigation
Timeline

Inline Investigation Timeline

Investigation
Timeline Zoom Entries

Jump to start

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 124
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 5 Lab: Working with ES Investigations
Time: 50 minutes
Description: Create and manage an ES investigation
Tasks:
– Create an investigation to monitor user Hax0r over time
ê Add notable events to your investigation
ê Add an alert for results of future related notable events
– Create an investigation to monitor Snort activity
ê Find Snort events and add a Quick Search
ê Create a notable event to track status
ê Investigate source systems
ê Review your investigation from Timeline and Summary views
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 125
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 6:
Security Domain Dashboards

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 126
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Use ES to inspect events containing information relevant to active
or past incident investigation
• Identify security domains in ES
• Use ES security domain dashboards
• Launch security domain dashboards from Incident Review and
from action menus in search results

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 127
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES and Forensic Investigation
• When a breach occurs, you need to examine the details related to
the incident to determine a root cause and eliminate the risk
• The Security Domain dashboards provide the necessary tools to
examine related log and stream data in depth
• You can also use these dashboards as part of a periodic security
status evaluation
• The dashboards are organized by security domain

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 128
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Security Domains
• Access: authentication attempts and access control
related events (login, access allowed, access failure, etc.)
• Endpoint: malware infections, system
configuration, system state (CPU usage,
open ports, uptime), patch status and
history (which updates have been applied),
and time synchronization information
• Network: information about network traffic
provided from devices such as firewalls,
routers, network-based intrusion detection
systems, and hosts
• Identity: examine identity and asset collection data
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 129
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
How to Use Domain Dashboards
• Use the dashboards:
– During forensic investigation of current or past security incidents
– To drill down into root causes of notable events
– Examining events related to an asset or identity you are investigating
– To periodically evaluate the status of security-related events

• Access the Security Domain dashboards from:

– The Security Domains menu
– Field Action menu in Incident Review search results

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 130
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Access Domain
• The Access domain focuses on user identity and authentication
• Dashboards provide tools to research:
– Brute force attacks
– Privileged account misuse (i.e., root)
– Access by rare or new accounts
– Access by expired or disabled accounts
– Access by unusual applications (i.e., SSH, VNC, etc.)

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 131
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Access > Access Center

Large failure rates indicate High access rates from a single

brute force probing app like sshd can be malicious

High rates of login activity (user_count) may

signal a compromised system

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 132
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Access > Access Search
Clicking a src or user_count under the Top Access
By Unique Users panel on the Access Center displays
the details on who is accessing the Source

Expand the events to view more

details, create a notable event, or
add the event to an investigation

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 133
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Other Access Domain Dashboards
Access Tracker Account activity over time for:
• first time access
• inactive accounts
• expired identities
Account Management Account actions, like:
• creation
• deletion
• lockout
Default Account Activity Usage of default accounts, which are built-in to an operating system,
such as:
• root/administrator
• SYSTEM
• guest
**Splunk is adding new Correlation Searches all the time. Check the Enterprise Security documentation to view the specific searches
available for your version ES

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 134
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Endpoint Domain
• The Endpoint domain watches over user
systems, such as:
– Workstations, PCs, notebooks
– Handheld devices
– Point-of-sale systems

• Potential issues include:

– Vulnerabilities:
missing updates or patches
– Malware: spyware, ransomware, or other
malicious code
– Unexpected running processes or services
– Unexpected registry changes
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 135
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Endpoint > Malware Center
Overview of malware in your environment Statistics on most common
infection types

Click a signature (for instance

TROJ_JAVA.BY) to drill down to
that malware type on the
Malware Search dashboard

New malware
identification

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 136
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Endpoint > Malware Search

The search drills down into

the TROJ_JAVA.BY signature
showing useful information
on the infected systems

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 137
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Endpoint > Endpoint Changes
Track changes on your systems by type (file, registry, etc.) or by system

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 138
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Endpoint > Malware Operations
Malware status overview

Malware client information (i.e., antivirus)

Statistics on repeat and aging infections Infection duration statistics

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 139
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Endpoint > Time Center
Report the status of time synchronization in your environment

Systems not properly synchronizing will not send

correct time-stamped data to Splunk
Can lead to search failure and false negatives in ES

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 140
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Other Endpoint Domain Dashboards
O/S statistics & versions in use

Patches and other software update statistics

Search interface for update events

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 141
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Network Domain
• Many Network domain scenarios
are preventative in nature:
– Suspicious activity spotted by
intrusion detection systems (IDS)
– Vulnerabilities
– Unusual ports being opened
– Suspicious DNS activity
– Port scanning

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 142
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Network > Intrusion Center
Events logged from intrusion detection systems (IDS)

Use filters to focus on types of

attacks. The example focuses on
trojan activity on the network

Click a result to drill down to

the Intrusion Search dashboard

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 143
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Network > Intrusion Search
Clicking on a result in the Intrusion Center displays the
specifics of the attack in the Intrusion Search dashboard

Drilling down from the A Network Trojan

was Detected entry on the Intrusion Center
populates the search fields

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 144
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Network > Vulnerability Center
Statistics on system security settings from vulnerability scanners

Results are looking at critical

events over the past 24 hours

Click a result to drill down to the

Vulnerability Search dashboard
like MDKSA-2004:029:kernel

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 145
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Network > Vulnerability Search
Clicking on a result in the Vulnerability Center displays the
specifics of the issue in the Vulnerability Search dashboard

Drilling down from the MDKSA-2004:029:kernel

entry on the Vulnerability Center populates the
Signature field

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 146
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Network > Web Center
HTTP activity insights from web server, proxy, and firewall logs
Click a result to drill down to the Web
Search dashboard like the POST method

Focus in on a specific status

like 404 - Page Not Found or
503 – Service Unavailable
Focus in on a specific method like POST

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 147
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Network > Web Search
Drilling down from the POST entry on the
Web Center populates the search fields

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 148
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Other Network Domain Dashboards
Vulnerability Operations Statistics on vulnerability aging and scan activity
Network Changes Events recording changes to network configurations on routers, firewalls, etc.
Port and Protocol Tracker Analysis of network activity by port type or protocol type

**Splunk is adding new Correlation Searches all the time. Check the Enterprise Security documentation to view the specific searches
available for your version ES

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 149
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Identity Domain
• Identity domain dashboards provide
information about the assets and
identities defined in ES
• Use the Asset Center or Identity
Center to view lists of objects used by
the Assets and Identity framework
• View assets or identities by priority
level, business unit, or category
• Troubleshoot network sessions by
device or user

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 150
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Identity > Asset Center
Security Domains > Identity > Asset Center

Distribution of Distribution of Distribution of

assets by priority assets by assets by category
business unit

Asset lookup information

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 151
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Identity > Identity Center
Security Domains > Identity > Identity Center

Identities Identities by Identities by category

by priority business unit

Identity lookup information

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 152
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Identity > Session Center
Security Domains > Identity > Session Center

Use the Session Center to view an overview

of network sessions

Correlate network activity to a user

using session data provided by
DHCP or VPN servers

Review session logs and

identify the user or
machine associated with
an IP address used
during a session
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 153
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 6 Lab: Using Security Domain Dashboards
• Time: 30 minutes
• Scenario:
– Workin the role of a network analyst performing forensic analysis on
an open incident
• Tasks:
– Use the Access Domain dashboard
– Use the Malware Search and Center dashboards
– Use the Vulnerability Center and Search dashboards
– Use the Intrusion Center dashboard

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 154
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 7:
User Intelligence

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 155
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Understand and use user activity analysis
• Use investigators to analyze events related to an asset or identity
• Use access anomalies to detect suspicious access patterns

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 156
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Security Intelligence > User Intelligence
User intelligence tools
provide the security
practitioner with
analytical tools to find
potential internal threats

Asset Investigator Examine a specific asset, such as a server or workstation, and compare events over time in
parallel lanes showing different types of activity
Identity Investigator Examine a specific identity and compare events over time in parallel lanes showing different
types of activity
Access Anomalies A survey of network activity by users, highlighting anomalous access (one user account
being used multiple times)
User Activity A survey of people and their actions, focused on watchlisted or high-risk users
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 157
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Asset and Identity Investigators
• Investigator dashboards allow you to search by an asset or
identity for a specific time range
• Both return a time-sequenced set of swim lanes showing activity
for that asset or identity

Individual bars represent

Swim lanes groups of events

Time Range Picker

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 158
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Accessing the Investigators
Access investigators
From the User Intelligence menu

From a field Action menu

in an Incident Review event
ê Asset: dest, src, ip, host
ê Identity: user, src_user

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 159
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Asset Investigator
Search by asset name

Asset information

Selecting an individual bar

(set of events) shows the details in the right panel. Details about the
A darker bar has more events selected events

Area graph shows activity over time period

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 160
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Identity Investigator
Search by
identity name

Same tools and

functionality as the
Asset Investigator

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 161
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Pan and Zoom

Start End

Dragging the pan/zoom controls changes the time frame for the
search and re-executes the search, showing only the activity in the
selected range
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 162
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Missing Information
• If an Investigator does not find the enhanced data for an asset/identity,
you will see an error that the asset or identity is “unknown”
• Check that the asset or
identity configuration is
correct and enabled in the
Assets and Identity
Management interface

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 163
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Configuring Swim Lanes
• Click Edit and select a collection
of swim lanes
• Use the Custom collection to
select specific swim lanes
• Customize swim lane colors
• ES Admins can add new swim
lanes and set overall defaults and
permissions per role Drag swimlanes up
and down into the
• Changes are not saved order you prefer

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 164
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
User Intelligence > User Activity

Risk assigned by various

correlation searches on
user activity

Click a user to open the Sorted by risk Sorted by size

Identity Investigator

Users accessing external sites that

have been added to a watchlist

Connecting from remote locations

Incident opened in an external tracking system

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 165
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Access User Activity from a Source Event
1
From a Splunk search result, click
the Actions menu for the user field

2
3
User Activity dashboard only displays activity for the user selected

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 166
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Access Anomalies Dashboard
Security Intelligence > User Intelligence > Access Anomalies

View authentication
attempts from different IP
addresses and
improbable travel
anomalies using internal
user credentials and This dashboard is dependent on the
location-relevant data gia_summary index, which is filled by
the Access - Geographically
Improbable Access - Summary Gen
scheduled search hourly
Important!
This search is disabled by default;
enable it to use this dashboard.

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 167
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 7 Lab: User Intelligence
• Time: 30 minutes
• Scenario:
– You are investigating potential internal threats
• Tasks:
– Examine and learn more about the Hax0r user account
– Investigate the server that Hax0r is attempting to access
– Use the User Activity and Access Anomalies dashboards
– Use the Access Anomalies and Access Search dashboards

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 168
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 8:
Web Intelligence

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 169
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Use the Web Intelligence dashboards to analyze your network
environment
• Filter and highlight events

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 170
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Security Intelligence > Web Intelligence
Web Intelligence contains
analytical dashboards that
are useful for inspecting
various aspects of your
website network activity

HTTP Category Explore the types of websites being accessed in the network
HTTP User Agent Examine the web user agents being used on the network
New Domain See what external domains are being accessed
URL Length Examine request URLs for unusual contents
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 171
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Uses for Web Intelligence Dashboards
• Find URLs associated with unwanted activity
– HTTP Category Analysis
• Identify malicious activity in the form of long or malformed user
agent strings
– HTTP User Agent Analysis
• Detect botnet or trojan attacks by high counts of new domains
– New Domain Analysis
• Look for embedded SQL, cross-site scripting, etc.
– URL Length Analysis
docs.splunk.com/Documentation/ES/latest/User/ThreatListActivitydashboard
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 172
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
HTTP Category Analysis
Gives an overview of websites used by category

http://www.websense.com/content/support/library/web/v85/siem/siem.pdf
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 173
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
HTTP User Agent Analysis
Investigate user agent strings in proxy
data to detect potential threats

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 174
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Per Panel Filter
• Some ES dashboard
views have a Per-Panel
Filter button which is
used to highlight or filter
items out of the
dashboard search
• Unavailable by default
for ES Analysts but can
be enabled by an ES
Admin
Note
In the lab environment for this course,
the Edit Per Panel Filters permission
has been enabled for ES analysts
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 175
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Filtered vs. Highlighted Events
• Filtered events are no longer displayed
• Highlighted events are:
– Highlighted in the Per-panel Filter column
– Displayed at the top of the list by default

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 176
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Managing Per Panel Filtering Lookups
1

3
To remove a highlighted or filtered field,
right-click on the row and click Remove
rows. In the example, the category
”unknown” has been filtered out and is
shaded in blue in the lookup

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 177
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Unhighlighting an Event
If an event is already highlighted
1. Select it 2

2. Click Per-panel Filter

3. Remove the highlight
or change to filtering 1

4. Click Save

Note
Events can only be "unfiltered" directly 3
from the lookup by removing the
corresponding row. (Filtered events
are not visible from the UI). 4

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 178
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 8 Lab: Web Intelligence
• Time: 25 minutes
• Scenario:
– Youare using the HTTP User Agent dashboard and notice some
unusual activity
• Tasks:
– Perform HTTP User Agent analysis
– Use a per-panel filter
– Use the HTTP Category Analysis dashboard

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 179
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 9:
Threat Intelligence

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 180
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Give an overview of the Threat Intelligence framework and how
threat intel is configured in ES
• Use the Threat Activity dashboard to see which threat sources are
interacting with your environment
• Use the Threat Artifacts dashboard to examine the status of threat
intelligence information in your environment

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 181
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Security Intelligence > Threat Intelligence
Threat Intelligence provides
tools to help security
practitioners find and
prevent potential external
threats in your environment

Threat Activity Examine activity from a threat perspective:

• which threats have been identified
• which systems or users are affected
Threat Artifacts Examine the details of threat intel that has been downloaded
from online threat libraries, or have been added locally

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 182
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Threat Intelligence Framework
• Threat intel is downloaded regularly from external and internal
sources by the Threat Download Manager modular input
– Data is parsed into KV store collections with “_intel” suffixes
– Collections are used as lookups during threat generation searches

• Threat Gen searches run by default every 5 minutes and scan for
threat activity related to any of the threat collections
– Whenthreat matches are found, events are generated in the
threat_activity index and appear in the Threat Intelligence data model
• The data model is scanned by the Threat Activity Detected
correlation search and new notables for threat activity are created
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 183
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Threat Intelligence Administration
• ES Admins are tasked with managing ES threat intelligence
• Analysts and users can be given the Edit Intelligence Downloads
permission to manage threat intelligence downloads
• Threat Intelligence can be added to ES by
– downloading a feed from the Internet
– uploading a structured file
– inserting threat intelligence directly from events in ES
– as an “Add Threat Intelligence” adaptive response action in a
correlation search

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 184
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Threat Intelligence Configuration
• Threat Intel is configured in the Threat Intelligence Management interface
Configure > Data Enrichment > Threat Intelligence Management
• ES can download the following types of threat intelligence
– Threat lists: IP addresses of known malicious sites
– STIX/TAXII: details about known threats, including threat type and source
– OpenIOC: additional information about known threats

• Many intel sources require regular refresh from external sources

• This information is used by the Threat Activity Detected
correlation search

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 185
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Threat Activity
• The Threat Activity
dashboard displays events
related to known threat sites
over the desired time
• Details include:
– Threat activity over the last
24 hours and which
collection it is from
(file_intel, ip_intel, etc.)
Per-panel Filter can be used to filter out
– Which sources (download events that are not considered a threat, or
highlight rows that are more of a threat
name/URL) are most active
– The details of the threat
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 186
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Using the Threat Activity Dashboard
Filter the Threat Activity dashboard
Choose a field from the
Search drop-down and and
enter a value for the search

Threat category, such

as advanced
persistent threat
Threat source:
(APT), financial threat,
download feed or
backdoor, etc.
local file name

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 187
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Threat Artifacts
Filter to select a threat artifact type or filter
by fields relevant to the selected artifact type

Use the Threat Artifact menu to search drill

down into the categories to see more
details about each type of threat (network,
endpoint, certificate, or email)

Threat Overview displays the items that have been

downloaded from threat lists or STIX/TAXII sources

Each category has an “artifact:

panel (i.e., Endpoint, Network,
Email Certificate) that displays
details for the threat collection
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 188
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Using the Threat Artifacts Dashboard
• Get more information about an active threat with the Threat
Artifacts dashboard
• Example: On the Threat Activity dashboard Most Active Threat
Sources panel, you see that iblocklist_proxy is one of the most
common threat sources
– In Threat Artifacts, you enter iblocklist_proxy in the Intel Source ID
field and search
– You learn that iblocklist_proxy is a CSV type threat list
– Use the Network tab to inspect the full list of known IP addresses from
this threat list, including locations when known

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 189
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Add Threat Intelligence from a Search
• Admins can insert threat intel directly from a Splunk event
– Writea search that produces threat indicators, add the following to
the end of the search:
| outputlookup local_<threat intelligence type>_intel append=t

– Types
of <threat intelligence type> include ip, email, or
certificate
• For example: write a search that produces a list of IP addresses
that are testing a web server for vulnerabilities and add them to
the local_ip_intel lookup to be processed by the modular
input and added to the ip_intel KV Store collection
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 190
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 9 Lab: Threat Intelligence
• Time: 20 minutes
• Scenario:
– You are investigating potential external threats

• Tasks:
1. Review threat activity
2. Add a local IP address to the ip_intel KV Store

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 191
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Module 10:
Protocol Intelligence

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 192
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Explain how network data is input into Splunk events
• Describe stream events
• Give an overview of the Protocol Intelligence dashboards and how
they can be used to analyze network data

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 193
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Security Intelligence> Protocol Intelligence
Protocol Intelligence is
ES’s set of tools for
analyzing network traffic

Protocol Center An overview dashboard showing protocol activity across the network
Traffic Size Analysis An analytical dashboard showing network traffic rates and trends
DNS Dashboards showing an overview of activity of DNS queries and a search interface
SSL Dashboards for analyzing SSL certificate activity
Email Dashboards for analyzing email activity

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 194
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Getting Data In
• Capture network traffic using the Splunk Stream app or by
normalizing network log data (DNS, SSL, SMTP, HTTP)
• Uses Cases:
– Monitor suspicious network traffic
– Correlate logged vs. actual activity
– Gain direct access to network traffic for SSL, HTTP, DNS, and SMTP
– Configure correlation searches that can monitor network traffic

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 195
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Splunk Stream
• Traffic can be captured using the
Splunk Stream add-on
docs.splunk.com/Documentation/StreamApp
• Deployed on forwarders and listens to traffic
• Traffic data is forwarded to indexers and made available to ES
• Additional captures can be set up within ES

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 196
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Stream Data Flow

Production Servers
with forwarders and
Stream add-on or
network data
Capture network data and
forward to indexers
Splunk ES Indexers
If using the Stream app, Store captured data
it is installed here
Execute and display
search results
Captured data does not
include message content
unless specifically configured

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 197
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Stream Events
• Stream events are generated from the Splunk Stream app, or other
streaming apps like Zeek (Bro) IDS
• Splunk Stream events in the
notable index are stored
with the orig_sourcetype field
as stream:xxxx (stream:tcp, stream:http etc.)
• Standard fields are extracted, as well as additional fields for the
specific source type
– HTTP: cookies, request parameters, etc.
– SMTP: sender, receiver, subject, summary of body
– DNS: DNS query, query type, DNS host, etc.
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 198
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Protocol Intelligence > Protocol Center
Displays an overview of security-relevant
network protocol data

An exploited protocol
may display a
disproportionate
number of connections
for its service type

TCP connections sustained longer than 3

minutes. A long duration connection
between hosts may represent
unusual or suspicious activity
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 199
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Protocol Intelligence > Traffic Size Analysis
Compare traffic data with statistical data to find outliers. Displays
traffic data from firewalls, routers, switches, or network flows

Standard Deviation Index - Percentage (%) shows the amount

of data that will be filtered out. The higher the percentage, the
fewer traffic size anomalies and details are displayed

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 200
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Protocol Intelligence > DNS Activity
Displays an overview of data relevant to the DNS
infrastructure being monitored
For example, a host initiating a large number of DNS queries to
unknown or unavailable domains will report a large number of DNS
lookup failures with some successes. That pattern of DNS queries
may represent an exfiltration attempt or suspicious activity

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 201
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Protocol Intelligence > SSL Activity
Provides an overview of the traffic and connections
that use SSL. Analysts can use these dashboards to
view and review SSL encrypted traffic by usage,
without decrypting the payload

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 202
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Protocol Intelligence > Email Activity
Provides an overview of the data relevant to the email
infrastructure being monitored. Data can be used to
find suspect emails including, top email sources, large
emails, and rare senders or receivers

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 203
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Creating a Stream Capture
• Investigating a notable or
source event?
– You can create a temporary 1
stream capture for the
source or destination server
2
ê Then investigate the
stream data for that server
• You can also Stream
capture using:
– Correlationsearch
– Adaptive response action 3
4

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 204
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Scenarios: Data Exfiltration
• Detect data exfiltration using protocol intelligence dashboards:
– Email Activity? Examine Top Email Sources
ê Look for sudden spikes in email output from single accounts or
ê Spikes in the Large Emails display
– DNS Activity? Examine Queries per Domain
ê Look for unfamiliar domains getting large numbers of lookups
• See an endpoint / server that may be involved in data exfiltration?
1. Create a stream capture for it and analyze the data
2. Look for sensitive information, intellectual property, etc.

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 205
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Module 10 Lab: Protocol Intelligence
• Time: 10 minutes
• Tasks:
– UseProtocol Intelligence and related tools to investigate a suspected
data exfiltration event

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 206
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Wrap Up
• Understand how to use ES • Use risk-based alerting to monitor
• Define correlation searches and risk in your security environment
notable events • Analyze network events for
• Use the Security Posture and suspicious behavior
Incident Review dashboards • Detect insider threats
• Use the Asset and Identity • Use the Threat Intelligence
Investigators framework
• Perform forensic investigation on • Use Protocol Intelligence to
current and past incidents examine live network data
• Use adaptive response actions
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 207
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
What’s Next?
Become a Splunk Enterprise Security Certified Admin
This certification demonstrates an individual's ability to install, configure,
and manage a Splunk Enterprise Security deployment

Splunk Education Course(s) (recommended, but not required for this certification track). Either course path is acceptable

Exam registration assistance here. Study Guide here

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 208
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Splunk Security Courses
For more Splunk security training, please review the Splunk
Enterprise Security, Splunk SOAR, and Splunk User Behavior
Analytics courses on
https://www.splunk.com/en_us/training.html

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 209
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Community
• Splunk Community Portal • Slack User Groups
splunk.com/en_us/community.html splk.it/slack
– Splunk Answers • Splunk Dev Google Group
answers.splunk.com groups.google.com/forum/#!forum/splunkdev
– Splunk Apps
• Splunk Docs on Twitter
splunkbase.com twitter.com/splunkdocs
– Splunk Blogs
splunk.com/blog/ • Splunk Dev on Twitter
twitter.com/splunkdev
– Splunk Live!
splunklive.splunk.com
– .conf
conf.splunk.com
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 210
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Splunk How-To Channel
• Check out the Splunk Education How-To channel on YouTube:
splk.it/How-To
• Free, short videos on a variety of Splunk topics

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 211
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Support Programs
• Web
– Documentation: dev.splunk.com and docs.splunk.com
– Wiki: wiki.splunk.com
• Splunk Lantern
Guidance from Splunk experts
– lantern.splunk.com
• Global Support
Support for critical issues, a dedicated resource
to manage your account – 24 x 7 x 365
– Web: splunk.com/index.php/submit_issue
– Phone: (855) SPLUNK-S or (855) 775-8657

• Enterprise Support
– Access customer support by phone and manage your
cases online 24 x 7 (depending on support contract)
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 212
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Thank You

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 213
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Appendix A:
Reports, Dashboards,
Data Models & Use Cases

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 214
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Objectives
• Use and customize ES reports
• Use and customize ES dashboards
• Explore ES Correlation Searches
• Understand ES data models
• Use ES Content Updates or Use Case Library to pinpoint potential
issues and share them in ES

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 215
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES Reports
• Select Search > Reports
• Over 200 reports in more than 20
categories
• Execute any report by selecting
its name
Share Export
• Select Edit to open in search,
Print
modify, and save as a new report
• Use Share, Print or Export as
appropriate

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 216
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES Datasets to Build New Reports
• Access ES data models via the Search > Datasets menu
• Explore > Visualize with Pivot to quickly build new reports
– Reports can then be enhanced with charts and saved for future use

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 217
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Lists of ES Correlation Searches

Table of app, security domain, name and description

of all correlation searches in your environment

Enabled correlation searches and

the adaptive response actions

Note
For a list of all enabled and disabled
correlation searches, remove
| where disabled=0.

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 218
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Common Information Model
• The Common Information Model (CIM) is a library of data models
• The CIM is built into the data models that are included with ES
– Manyof the data models used by ES are actually configured in the
CIM app
• One important service provided by the CIM is normalization
• Different data sources might use different names for one logical
field name
– Example:
“Sev”, “Severity”, “SevCode”, etc. all map to the logical field
name “Severity”
docs.splunk.com/Documentation/CIM/latest/User/Overview
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 219
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
ES Content Updates: Analytic Stories
• Self-documented searches that
solve a specific problem
– Threat / focus of the Analytic
Story
– How to implement the
searches (data required)
• Tied to security frameworks
(Critical Security Controls, Kill
Chain, Mitre ATT&CK) https://splunkbase.splunk.com/app/3449/

• Works in ES, Splunk Enterprise

or Splunk Cloud

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 220
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Content Library > Analytics Stories Stats
Search > Dashboards > Content Library
Overview of content by Analytics Stories or the searches that comprise them

Total ESCU
stories Version

Applicability to frameworks:
Kill Chain, CIS Critical
Security Controls, etc.
1
Click items in visualizations or
use drop-downs to filter details

2 Click a story row to go to its Analytics Story Detail page

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 221
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Content Library > Search Summary
The Search Summary tab has a similar structure and
process to the Analytics Stories Stats but for searches

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 222
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Analytic Story Detail
Select a different story to explore
Metadata Runs all
searches in the
story and
provides a
count of results

Detailed explanation of the story Associations to

various security
Nested list of the story’s searches by category frameworks

Selected
Search

(Admin) Opens the search in Edit Correlation Search in ES

Deselected
Searches

Get context, Investigate or access support

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 223
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Configure > Content > Use Case Library
If your admin has
installed ESCU and
enabled Use Case
Library, you can
view ESCU analytic
stories from within
ES, bookmark
them, and add
your own

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 224
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Splunk & Fraud Analytics

• Leverages Splunk Enterprise Security

– Analyst can work in a familiar
incident review tab
– Fraud Incident Review includes workflow link to Investigate dashboard
– Visual link analysis to make fraud investigations quick
– Leverages Risk-based Alerting (RBA) principles

• Extensible and configurable

– All fraud rules available as correlation searches and can be modified
– Application designed with data models as the source of all searches
– Macros used to define constraints (sources for data models)
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 225
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Appendix B:
Event Sequence Engine

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 226
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Event Sequencing Engine
• The Event Sequencing Engine allows you to create a group of
correlation searches looking for specific fields and values
• Admins create a workflow called a Sequence Template that defines the
correlation searches and variables, and if configured, the order in which
the notable events need to occur
• A Sequenced Event is created when the workflow
triggers notable events with the configured fields
and values Note
Only ES admins, or users given the
• Similar to writing a script to automate things that Edit Sequence Templates
permission can create Sequence
you would have to do manually when tracking a Templates. ES analysts can view
the resulting events and add them
variety of notable events and variables through a to investigations.

variety of correlation searches

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 227
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Example Use Case
Start (correlation search)
1. Brute Force Access Behavior Detected
Transitions (correlation searches)
1. Unusually Long Command Line
2. Uncommon Processes On Endpoint
3. Web Uploads to Non-corporate Sites by Users
4. Suspicions Reg.exe Process
End (correlation search)
6. Abnormally High Number of Endpoint Changes by User

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 228
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Example Configuration
Configure > Content > Content Management > Create New Content >
Sequence Template
– The Content Management window has been filtered to show only
Sequence Templates

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 229
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Example Configuration (cont.)

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 230
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Resulting Sequence Event

The results of the

Sequence
Templates are
Sequenced Events, Transitions display the
which are viewed in correlation searches
matched in the template
Incident Review

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 231
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Appendix C:
Interfacing with Splunk Intelligence
Management (TrueSTAR)

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 232
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Splunk Intelligence Management
In addition to the Ingest of Indicators
from multiple Intelligence Sources into
Splunk KV stores for alerting, the
TruSTAR Unified app enables two Adaptive Response actions:
– Enrichthreat activity notable events
– Submit events to TruSTAR

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 233
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Enrich Threat Activity Notable Events
Urgency updated by
TruSTAR normalized score
The Indicator

TruSTAR Report

Summaries of reports about

the indicator

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 234
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Enrich Threat Activity Notable Events (cont.)

Pass-through/Original Score

Actor(s)

Malware Families

Normalized Score

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 235
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
 Appendix D:
Cloud Security Dashboards

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 236
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Cloud Security Dashboards
Visualize the security of your cloud infrastructure (AWS, Azure)
through several dashboards Important!
To onboard Cloud data sources and examine your
Cloud Security environment, you must install and
setup Splunk Add-on for Amazon Kinesis Firehose
and Splunk Add-on for Microsoft Office 365 from
Splunkbase.

Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 237
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Prerequisites
1. Create indexes to populate the Cloud Security dashboards
2. Provide index name in ES app settings
– Select Configure > General > General Settings
– Navigate to AWS Index or Microsoft 365
– Populate index name

3. Install Amazon Kinesis Firehose and Microsoft 365 add-ons

4. Configure add-ons to send data to Splunk and prepare Splunk to
receive data Note
If you are already using AWS or
Microsoft 365 TAs, you can use
these instructions to configure your
existing indexes rather than create
a new one.
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 238
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022
Available Dashboards
• Use the Security Group dashboard to monitor activity in your AWS
environment
• Use the IAM Activity dashboard to monitor user activity in your
AWS environment
• Use the Network ACLs dashboard to monitor your network ACL
activity in the AWS environment
• Use the Access Analyzer dashboard to monitor your AWS public
facing queues, lambdas, and S3 buckets
• Use the Microsoft 365 Security dashboard to monitor security
activity in your Microsoft 365 applications
Generated for Ana Arellano (anaare@herbalife.com) (C) Splunk Inc, not for distribution
Using Splunk Enterprise Security
turn data into doing™ 239
Copyright © 2022 Splunk, Inc. All rights reserved | 25 May 2022