Security: Get More Out of Your Security Practice with a SIEM - Part II (Advanced Use Cases) - Wed 8/21/24

Community Office Hours
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security: Get More Out of Your Security Practice with a SIEM - Part II (Advanced Use Cases) - Wed 8/21/24

Security: Get More Out of Your Security Practice with a SIEM - Part II (Advanced Use Cases) - Wed 8/21/24

1 Comment
Cover Images - Office Hours (5).png
Published on ‎05-28-2024 03:49 PM by Splunk Employee | Updated on ‎08-23-2024 03:29 PM

Register here  . This thread is for the Community Office Hours session with the Security topic: Get More Out of Your Security Practice with a SIEM - Part II (Advanced Use Cases) on Wed, Aug 21, 2024 at 1pm PT / 4pm ET. 

 

This is your opportunity to connect with technical Splunk experts, who will guide you through solutions to your security use case questions and engage in live discussions about how to best leverage Splunk Enterprise Security as your SIEM solution. This session, Part II, will focus on adding context to your detections to fuel more meaningful investigations. We will focus on key use cases such as Risk-Based Alerting to prioritize alerts for faster response to more critical tasks, enriching threat context with threat intelligence, leveraging cyber frameworks to manage risks, and more. These use cases will help improve mean time to detect (MTTD) and mean time to response (MTTR).

 

In the session, you can discuss with our experts for

  • What is the best approach to implementing the use cases in Enterprise Security?
  • Best practices for proper creation of risk rules, modifiers, adaptive actions etc.
  • Enhancing notable events and proactive threat hunting
  • Suggested approaches to mapping cyber frameworks such as MITRE.
  • Recommended Splunkbase apps
  • Anything else you’d like to learn! 

 

Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here).

 

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

 

Look forward to connecting!


Labels (2)
0 Karma
loriexi
Splunk Employee
Splunk Employee
‎08-23-2024 03:34 PM
‎08-23-2024 03:34 PM

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel)

Q1: How can one hone threat detection skills by setting up projects for threat detection and incident response at home? What are the recommended steps? 

 

 

 

Q2: What is the best practice of Data Parsing?

  • For field breakouts, if the data is formatted (CSV,etc), utilizing the built-in parsers is really the “easy button” here.
  • When working with custom fields or data, having a firm grasp of regular expressions (regex) to parse the data is a must.
    • Field/character offsets are too non-deterministic to be considered a best practice, but can be utilized in quick and dirty methods.
  • Logging best practices in an app or add-on for Splunk Enterprise”
    https://dev.splunk.com/view/logging-best-practices/SP-CAAADP6

 

Q3: Can we create ML used queries in correlation search alerting? How to incorporate ML based threat hunting using Splunk?

 

Other Questions (check the #office-hours Slack channel for responses):

  • Could you talk about tablos in ES?
  • For detections, do you prefer 'index=' or 'tstats'?
  • Resources recommendations for someone starting in the security realm coming from a systems background?
  • For customer that start out with InfoSec in the cloud, do you have any recommendations on getting started and making it efficient?
0 Karma