38
stoQ’ing your Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

stoQing your Splunk

Embed Size (px)

Citation preview

Page 1: stoQing your Splunk

stoQ’ing your SplunkRyan Kovar, Splunk

Marcus LaFerrera, PUNCH

SANS DFIR 2016

Page 2: stoQing your Splunk

Ryan Kovar•  Staff Security Strategist

@Splunk•  Does Security things �

and then talks about them

•  17+ years defending �networks private sector

Marcus LaFerrera•  Director of

Development� @PUNCH

•  Lead stoQ Developer•  18+ years supporting the

government

Page 3: stoQing your Splunk

Agenda

•  Overview of stoQ•  Overview of Splunk•  A DFIR use case walk through•  Questions

Page 4: stoQing your Splunk

TOOL*N==:(

NOTHING COMMUNICATES �AND MOST TOOLS

REQUIRE MANUAL INTERACTION�

Page 5: stoQing your Splunk

HOW’S THE WEATHER OUT THERE OLLIE?

IT’S CYBER

Page 6: stoQing your Splunk

stoQ

Page 7: stoQing your Splunk

STOQ IS A FRAMEWORK THAT ENABLES

EVERYONE TO AUTOMATE PROCESSES, ANALYTICS,

AND JUST ABOUT ANYTHING ELSE

Page 8: stoQing your Splunk

AUTOMATE AND REDUCE THE MAJORITY OF YOUR MOST

MUNDANE ANALYTIC TASKS

Page 9: stoQing your Splunk

LEVERAGE ALL OF YOUR TOOLS SIMULTANEOUSLY,

AND SAVE THOSE RESULTS FOR LATER

Page 10: stoQing your Splunk

IT’S A FORCE MULTIPLIER

Page 11: stoQing your Splunk

 LOOK AT YOUR DATA, RATHER THAN SEEKING WAYS TO CAPTURE

OR PRODUCE IT

Page 12: stoQing your Splunk

COMMAND LINE, INTERACTIVE SHELL,

OR FULLY AUTOMATED

Page 13: stoQing your Splunk

EVERYTHING IS A PLUGIN, FROM INPUT TO OUTPUT

AND EVERYTHING IN BETWEEN

Page 14: stoQing your Splunk

Tell me more about Plugins…�

•  Very simple and easy to write•  Lots of documentation and examples•  stoQ does most of the heavy lifting

Page 15: stoQing your Splunk

Over40stoQPluginsAvailable•  E-mailParser•  VTMIS•  TotalHash•  Yara•  Censys•  Fireeye•  IOCExtract•  Pastebin•  PassiveTotal•  ClamAV

•  Opswat•  TRiD•  RabbitMQ•  Suricata•  Tika•  PEinfo•  Excel•  XOR•  Base64•  BitRotaKon

•  BroIntel•  Fluentd•  GoogleCloudStorage•  AmazonS3•  Slack•  ThreatCrowd•  MongoDB•  ElasKcSearch•  Exif•  Andmanymore…

Page 16: stoQing your Splunk

IT’S OPENSOURCED

Page 17: stoQing your Splunk
Page 18: stoQing your Splunk
Page 19: stoQing your Splunk
Page 20: stoQing your Splunk
Page 21: stoQing your Splunk

Monitor&Alert

Search&InvesCgate

CustomDashboards&

Reports

AnalyCcs&VisualizaCon

MeetsKeyNeedsofSOCPersonnel

Splunk Can Ingest ALL THE DATA

Real-Cme

MachineData

CloudApps

Servers

Email

Web

NetworkFlows

DHCP/DNS

CustomApps

Badges

IntrusionDetecKon

Firewall

DataLossPrevenKon

AnK-Malware

VulnerabilityScans

AuthenKcaKon

Storage

IndustrialControl

Mobile SecurityIntelligencePlaOorm

ThreatFeeds

AssetInfo

EmployeeInfo

DataStores

NetworkSegments

ExternalLookups/Enrichment

Page 22: stoQing your Splunk

Then Build Security Dashboards

IncidentInvesCgaCons&ManagementDashboardsandReports

StaCsCcalOutliers AssetandIdenCtyAware

22

Page 23: stoQing your Splunk
Page 24: stoQing your Splunk

The Splunk App for stoQ

Page 25: stoQing your Splunk

THE STOQ DFIR APP FOR SPLUNK!�

•  ALLOWS YOU TO VISUALIZE STOQ RESULTS�

•  MAKE CONNECTIONS THAT WERE DIFFICULT TO SEE BEFORE�

•  QUICKLY PIVOT TO NEW DATA SOURCES�

•  APPLY THREAT INTELLIGENCE TO STOQ DATA

Page 26: stoQing your Splunk

ADFIRScenario

Page 27: stoQing your Splunk

You are an analyst at a Fortune 100 company

Page 28: stoQing your Splunk

A user reports an email with a suspicious

attachment

Page 29: stoQing your Splunk

We need to quickly identify if the file is good or bad

Page 30: stoQing your Splunk

SPLUNKPLACEHOLDER

Page 31: stoQing your Splunk

SPLUNKPLACEHOLDER

Page 32: stoQing your Splunk

SPLUNKPLACEHOLDER

Page 33: stoQing your Splunk

SPLUNKPLACEHOLDER

Page 34: stoQing your Splunk

SPLUNKPLACEHOLDER

Page 35: stoQing your Splunk

SPLUNKPLACEHOLDER

Page 36: stoQing your Splunk

SPLUNKPLACEHOLDER

Page 37: stoQing your Splunk

WHERE DO I GET ALL OF THIS INCREDIBLENESS???

https://splunkbase.splunk.com/app/3196/ http://stoq.punchcyber.com

Page 38: stoQing your Splunk

Questions?

Ryan [email protected]@meansec

Marcus [email protected]@mlaferrera


Splunk conf2014 - Splunk for Data Science

Splunk conf2014 - Splunk for Data Science

Technology
Accelera’ng*Your* SoluonDevelopment …...Building*SoluGons*on*the*Splunk*Plaorm* *SplunkReference*Apps* Complete,*working*realOworld*Splunk*soluGons** builttogether*with*partners*(Conducive,*Auth0

Accelera’ng*Your* SoluonDevelopment …...Building*SoluGons*on*the*Splunk*Plaorm* *SplunkReference*Apps* Complete,*working*realOworld*Splunk*soluGons** builttogether*with*partners*(Conducive,*Auth0

Documents
Heading 1 - Splunk€¦ · Web viewFrom a Splunk Web perspective, your users interactively create and update your custom inputs using Settings, just as they do for Splunk Enterprise

Heading 1 - Splunk€¦ · Web viewFrom a Splunk Web perspective, your users interactively create and update your custom inputs using Settings, just as they do for Splunk Enterprise

Documents
Zipkin& Splunk: Tracing Transactions Across Your ecosystem€¦ · © 2018 SPLUNK INC. Zipkin& Splunk: Tracing Transactions Across Your ecosystem Tom Martin | Staff Practitioner,

Zipkin& Splunk: Tracing Transactions Across Your ecosystem€¦ · © 2018 SPLUNK INC. Zipkin& Splunk: Tracing Transactions Across Your ecosystem Tom Martin | Staff Practitioner,

Documents
SPLUNK® ENTERPRISE - CDWwebobjects.cdw.com/.../Splunk/Product-Brief-Splunk-Enterprise-The... · Splunk Enterprise collects data from any source, including logs, clickstreams, sensors,

SPLUNK® ENTERPRISE - CDWwebobjects.cdw.com/.../Splunk/Product-Brief-Splunk-Enterprise-The... · Splunk Enterprise collects data from any source, including logs, clickstreams, sensors,

Documents
You've Got Junk In Your Splunk

You've Got Junk In Your Splunk

Software
Splunk Spark Integration - GitHub Pageslitaotao.github.io/files/4. splunk_spark.pdf · Splunk Spark Integration ... • Splunk"products:""! Splunk"Enterprise"! ... splunk_spark Created

Splunk Spark Integration - GitHub Pageslitaotao.github.io/files/4. splunk_spark.pdf · Splunk Spark Integration ... • Splunk"products:""! Splunk"Enterprise"! ... splunk_spark Created

Documents
Splunk> - magellan netzwerke GmbH · 2015-07-08 · Splunk> Juergen Magiera jmagiera@splunk.com . Copyright © 2012, Splunk Inc. Listen to your data. Agenda Telco‘s? Wer ist Splunk?

Splunk> - magellan netzwerke GmbH · 2015-07-08 · Splunk> Juergen Magiera [email protected] . Copyright © 2012, Splunk Inc. Listen to your data. Agenda Telco‘s? Wer ist Splunk?

Documents
Supercharge*Your* Mobile*App*Delivery* With*Splunk*MINT* · Splunk*MINT*itBecame!* 6 September*16,*2013*Q*Splunk*acquired*BugSense* • Team*moved*to*Splunk’s*HQ* • New*productline*

Supercharge*Your* Mobile*App*Delivery* With*Splunk*MINT* · Splunk*MINT*itBecame!* 6 September*16,*2013*Q*Splunk*acquired*BugSense* • Team*moved*to*Splunk’s*HQ* • New*productline*

Documents
Guerrilla Marketing: Selling Splunk Internally to your Enterprise

Guerrilla Marketing: Selling Splunk Internally to your Enterprise

Technology
Deploying Splunk. Arquitetura e dimensionamento do Splunk

Deploying Splunk. Arquitetura e dimensionamento do Splunk

Technology
Support your digital transformation journey with Splunk & Dell … · 2019-12-06 · Splunk Architecture Send data from thousands of servers using any combination of Splunk Forwarders

Support your digital transformation journey with Splunk & Dell … · 2019-12-06 · Splunk Architecture Send data from thousands of servers using any combination of Splunk Forwarders

Documents
Listen to your data™mattturck.com/wp-content/uploads/2012/03/splunk... · 2011, Splunk Inc. 7 Listen to your data. Splunk Collects and Indexes Any Machine Data Customer Facing Data

Listen to your data™mattturck.com/wp-content/uploads/2012/03/splunk... · 2011, Splunk Inc. 7 Listen to your data. Splunk Collects and Indexes Any Machine Data Customer Facing Data

Documents
Partner Solutions: Splunk - Cloud Is a Journey. Make Splunk Your Partner

Partner Solutions: Splunk - Cloud Is a Journey. Make Splunk Your Partner

Technology
Managing performance and security with Splunk on your IBM mainframe webinar

Managing performance and security with Splunk on your IBM mainframe webinar

Software
Lenovo Network Advisor for Splunk · Lenovo Network Advisor for Splunk The Lenovo Network Advisor for Splunk application helps you in troubleshooting your network by monitoring the

Lenovo Network Advisor for Splunk · Lenovo Network Advisor for Splunk The Lenovo Network Advisor for Splunk application helps you in troubleshooting your network by monitoring the

Documents
September 2018 - Delphix · 3. In the Splunk, Configuration window,€enter your Splunk values.€ To reduce the volume of data that will be sent to Splunk, you can optionally uncheck€Enable

September 2018 - Delphix · 3. In the Splunk, Configuration window,€enter your Splunk values.€ To reduce the volume of data that will be sent to Splunk, you can optionally uncheck€Enable

Documents
Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Splunk Deployment

Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Splunk Deployment

Technology
Setting up Splunk for Event Correlation in Your Home Lab (SANS

Setting up Splunk for Event Correlation in Your Home Lab (SANS

Documents
AWS Agility + Splunk Visibility Cloud Success Splunk App ...AWS Agility + Splunk Visibility = Cloud Success ... More Secure Than Your On-Premises Environment ... CloudWatch Metrics

AWS Agility + Splunk Visibility Cloud Success Splunk App ...AWS Agility + Splunk Visibility = Cloud Success ... More Secure Than Your On-Premises Environment ... CloudWatch Metrics

Documents
Splunk conf2014 - Onboarding Data Into Splunk

Splunk conf2014 - Onboarding Data Into Splunk

Technology
Integrating Splunk into your Spring Applications

Integrating Splunk into your Spring Applications

Technology
Copyright © 2011, Splunk Inc.Listen to your data. Date Name Title Getting Started with Splunk

Copyright © 2011, Splunk Inc.Listen to your data. Date Name Title Getting Started with Splunk

Documents
Referent / Redner Benjamin Tiggemann · 2015-07-08 · Splunk for Exchange Splunk for Enterprise Security* Splunk for Vmware Splunk for PCI Compliance* Splunk for Windows Splunk for

Referent / Redner Benjamin Tiggemann · 2015-07-08 · Splunk for Exchange Splunk for Enterprise Security* Splunk for Vmware Splunk for PCI Compliance* Splunk for Windows Splunk for

Documents
Splunk For IT Operational Intelligence · • Splunk Apps –Splunk App for VMware –Splunk Apps for Citrix & Hyper V –Splunk App for Microsoft Exchange –Splunk App for Active

Splunk For IT Operational Intelligence · • Splunk Apps –Splunk App for VMware –Splunk Apps for Citrix & Hyper V –Splunk App for Microsoft Exchange –Splunk App for Active

Documents
Program Overview - Splunk...mission-critical services. None. Splunk Enterprise System Administration Splunk Enterprise Data Administration Splunk Cloud Administration Implementing

Program Overview - Splunk...mission-critical services. None. Splunk Enterprise System Administration Splunk Enterprise Data Administration Splunk Cloud Administration Implementing

Documents
Tossing Splunk in Your PAN...Tossing Splunk in Your PAN Ninja’s Guide to the Galaxy of Splunk and Palo Alto Networks Kevin Gonzalez | Security Operations Manager September 25, 2017

Tossing Splunk in Your PAN...Tossing Splunk in Your PAN Ninja’s Guide to the Galaxy of Splunk and Palo Alto Networks Kevin Gonzalez | Security Operations Manager September 25, 2017

Documents
“Be Proactive With Ops Analytics - Leverage your Splunk ...Splunk is unable to use service topology for complex troubleshooting. “HP OpsA is much faster and easier than Splunk”

“Be Proactive With Ops Analytics - Leverage your Splunk ...Splunk is unable to use service topology for complex troubleshooting. “HP OpsA is much faster and easier than Splunk”

Documents
Splunk For IT Operational Intelligenceuploads.integrity360.com/1425903243-Splunk-for-IT-Operations.pdf · • Splunk Apps –Splunk App for VMware –Splunk Apps for Citrix & Hyper

Splunk For IT Operational Intelligenceuploads.integrity360.com/1425903243-Splunk-for-IT-Operations.pdf · • Splunk Apps –Splunk App for VMware –Splunk Apps for Citrix & Hyper

Documents
Splunk-ify Your SAP PowerConnect© for SAP & Splunk · Extract high-fidelity, real-time and historic SAP telemetry data ready for analysis and visualisation in Splunk. Only SAP-certified

Splunk-ify Your SAP PowerConnect© for SAP & Splunk · Extract high-fidelity, real-time and historic SAP telemetry data ready for analysis and visualisation in Splunk. Only SAP-certified

Documents