Security

Use case to detect malicious activity in Splunk indexer which is in a weak network

Aleena
Explorer

Hi All,

kindly give your thoughts on below questions.

1.How to create high level use case to detect malicious activity in Splunk indexer which is in a weak network ? what are the log source can be considered?

2.How to create high level use case to detect malicious activity in  base OS of Splunk?what are the log source can be considered?

Thankyou

Labels (1)
0 Karma
1 Solution

shivanshu1593
Contributor

Hello @Aleena,

Yes. You'd have to install the application on your search head. Then modify the macros used in the SPLs to match with the Index, where you are storing the sysmon logs and let Splunk do the rest 🙂

Alternatively, you can always install the app on your test environment or local system and copy paste the searches from there, which sounds a bit tedious to me, frankly.

I highly recommend you to look into ES Content Update app as well. The use cases on different stages of Cybersecurity Kill chain, described in such an easy way will really intrigue you. They provide the use cases along with the SPL for them, as well as explain the attacks in the most generic manner under section "Explain it like I'm 5" in every alert.

Hope this helps. Let me know if you need more help with it,

Thanks!

S

Please mark it as answer if it helps you

 

View solution in original post

shivanshu1593
Contributor

I'd consider ingesting System monitoring (sysmon) logs, and then make use cases out of them. There's a great Splunk app ES Content Updates, which can give you various use cases along with SPL, based on different stages of kill chain. You can look into MITRE framework app, which will give you use cases, along with SPL regarding modern attacks.

Sysmon logs will go a long way for you to get deep insights into your Indexer. If your organization has an EDR, like Crowdstrike or Carbon black, I'd recommend installating that on your Indexer server. Also having an Antivirus solution on the server always helps.

Hope this helps.

S

Aleena
Explorer

Hi @shivanshu1593 

Thanks for your reply. yes i agree, MITRE framework is a very good solution for Detection of attacks.

For MITRE framework app, do i need to install the app to get the usecase along with SPL? 

Thanks in advance😊

0 Karma

shivanshu1593
Contributor

Hello @Aleena,

Yes. You'd have to install the application on your search head. Then modify the macros used in the SPLs to match with the Index, where you are storing the sysmon logs and let Splunk do the rest 🙂

Alternatively, you can always install the app on your test environment or local system and copy paste the searches from there, which sounds a bit tedious to me, frankly.

I highly recommend you to look into ES Content Update app as well. The use cases on different stages of Cybersecurity Kill chain, described in such an easy way will really intrigue you. They provide the use cases along with the SPL for them, as well as explain the attacks in the most generic manner under section "Explain it like I'm 5" in every alert.

Hope this helps. Let me know if you need more help with it,

Thanks!

S

Please mark it as answer if it helps you

 

View solution in original post

Aleena
Explorer

Hi @shivanshu1593 

Really appreciate your help. was impressed by your answers. sure will try to install ES content app. Thanks a lot. Have a nice day.

Regards,

Nafila Afrin

0 Karma

Aleena
Explorer

Thankyou very much. i really appreciate your help:)👍

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on