Making Sense of Splunk Enterprise - BSides Greenville - June 2020

Information about Making Sense of Splunk Enterprise - BSides Greenville - June 2020

Published on June 26, 2020

Author: JonathanSinger5

Source: slideshare.net

Content

1. 1 Making Sense of Enterprise Jonathan Singer | Splunk Practice Lead, Southeast

2. 2 AGENDA • #whoami • History of logging • What is Splunk? • Who uses Splunk? • How to get the most out of Splunk • Free training for your teams • What I do at GuidePoint Security

3. 3 • Splunk Practice Lead, Southeast - Pure-play cybersecurity solutions provider • Prior work in datacenters - RedHat, Web App Sec, & Incident Response - Reading lots of logs with grep • GCIA, GPEN, GWAPT, GCFE, CEH… letters, we love letters • MS in Cybersecurity, BS in IT • Local chapter lead – OWASP Tampa • B-Sides Orlando VP, Co-founder • Speaker at many-a-conferences • Badge maker #WHOAMI

4. 4 History of Logging

5. 5 THE SYSLOG PROTOCOL • Designed in the 1980s • Originally designed for sendmail • Adopted by other applications • Since become the standard for *nix • Assumed de facto for many years • Documented in RFC 3164 (2001) • Standardized in RFC 5424 (2009)

6. 6 DATA FLOW • Different architectural models • Look familiar? - Devices – Host - Relay – Forwarders - Collector – Indexers

7. 7 CENTRALIZED LOGGING • Collect logs from each system, bring to one central location • Store for long term, save space on source host • Easier than going to each box to collect logs • Quickly search logs from different systems for values • Identify users or IP activity across environment

8. 8 What is Splunk?

9. 9 Source: splunk.com

10. 10 Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall + Source: splunk.com

11. 11 MACHINE DATA 03/07/2020 date 18:20:34.389517 time loggedfs.cpp log_source 138 log_source_line read command 349734 bytes proposal.doc object 52256 offset Marketing department Energy department_group Alfonso Gutierrez customer_name SUCCESS result 3588 pid sshd process rblack user 03/07/2020 18:20:34.389517 (src/loggedfs.cpp:138) read 349734 bytes from proposal.doc at offset 52256 department="Marketing" department_group="Energy" customer_name="Alfonso Gutierrez” SUCCESS [3588 sshd: rblack]

12. 12 MORE FIELDS TO SEARCH • Host – hostname or IP of the event • Source – where the event originated • Source Type – data structure of the event

13. 13 DISPARATE SOURCES srcip src_ip src sourceip 208.91.114.4 - - [10/May/2019:14:18:54 +0000] "GET evo/exploits/x19.php?o=2&t=1241403746 HTTP/1.1" 200 8587 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; [email protected])" May 10 14:18:54 1,2019/05/10 14:18:54,01606001116,THREAT,url,1,2019/05/10 04:39:57,192.168.0.2, 208.91.114.4,0.0.0.0,0.0.0.0,rule1,crusher,,web- browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2019/05/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,”domain.info/evo/exploits/x19.php?o=2&t=12414037 46",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html date=2019-05-10 time=14:18:54 logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="root" eventtime=1557523134021045897 srcip=208.91.114.4 srcport=50463 srcintf="port1" srcintfrole="undefined" dstip=104.80.88.154 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=2193276 proto=6 action="accept" policyid=3 policytype="sniffer" service="HTTPS" dstcountry="United States" srccountry="China" trandisp="snat" transip=0.0.0.0 transport=0 duration=10 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="allow" countips=1 crscore=5 craction=32768 sentdelta=0 rcvddelta=0 utmref=65162-7772 Fortigate Palo Apache

14. 14 SEARCHING AND DASHBOARDS • Search Processing Language (SPL) • Over 140+ search commands • Based on Unix pipeline and SQL • Filter, modify, manipulate, enrich, insert and delete

15. 15

16. 16

17. 17

18. 18 Who uses Splunk?

19. 19 Source: splunk.com

20. 20 DOMINO’S PIZZA • More than half of orders are digital • Used by IT and Security • Consumers expect the tech to work • Monitor business health during the most important day: Super Bowl Source: splunk.com

21. 21 U.S. CENSUS BUREAU • Country’s first digital decennial census • Break down results for analysis • Monitor and optimize disparate systems across the country Source: splunk.com

22. 22 CARNIVAL CRUISES • Monitor onboard systems including: - HVAC - Navigation - Water Purification • Detect onboard wireless and mobile experience issues Source: carnival.com

23. 23 Adding Splunk Value

24. 24

25. 25

26. 26 SPLUNKBASE • Nearly 2000 Apps and Add-ons • Onboard Data From Sources • Demonstrate Visualization of Data • Cooperation Between Vendors and Splunk

27. 27

28. 28

29. 29

30. 30 Search Head – Web search console Indexer – Storage of logs Universal Forwarder – Agent installed on hosts to collect local logs Heavy Forwarder – Full Splunk with forwarding capabilities Deployment Server – Universal Forwarder management console DEFINED COMPONENTS

31. 31 Free Splunk Training

32. 32 SPLUNK FUNDAMENTALS I • Navigate in Splunk • Use Fields • Get Statistics From Your Data • Create Reports, Dashboards, and Alerts • Free For Everyone!

33. 33 SPLUNK FUNDAMENTALS II • Searching and Reporting Commands • Creation of Knowledge Objects • Using Transforming Commands • Visualizations • Filtering and Formatting Results • Correlating Events • Data Models • Free For Veterans!

34. 34 Closing Remarks

35. 35 KEYS TO SUCCESS • Get data in - Locate source - Install vendor add-ons • Validate and verify - Is the data correct? - Can you perform basic searches? • Build dashboards and reports - Customize Splunk to your needs • Deliver success to management

36. 36 Professional Services from GuidePoint Security

37. 37 SERVICES OFFERINGS • Splunk Services - Remote or Onsite - Projects and Tasks - Staff Augmentation • Products - Core Enterprise - Enterprise Security (ES) - IT Service Intelligence (ITSI) - Splunk Cloud - Phantom

38. 38 SERVICES DETAILS • Architecture and Design • Migrations • Installation and Upgrades • Configuration and Tuning • Troubleshooting • Documentation • Playbooks

39. 39 SPLUNK HEALTH CHECK • Architecture Overview • Server Configuration Overview • Splunk Configuration Overview • Deployment and Forwarders • Apps and Add-ons • Cluster and License • Delivered in a Final Report

40. 40 Jonathan Singer, GuidePoint Security GuidePointSecurity.com https://www.linkedin.com/in/thejonathansinger/ https://twitter.com/jonathansinger Thank You

#whoami presentations

Zer 0 no zer(0 day)   dragon jar
25. 09. 2020
0 views

Zer 0 no zer(0 day) dragon jar

Related presentations


Other presentations created by JonathanSinger5