Security

Use case to detect malicious activity in Splunk indexer which is in a weak network

Aleena
Explorer

Hi All,

kindly give your thoughts on below questions.

1.How to create high level use case to detect malicious activity in Splunk indexer which is in a weak network ? what are the log source can be considered?

2.How to create high level use case to detect malicious activity in  base OS of Splunk?what are the log source can be considered?

Thankyou

Labels (1)
0 Karma
1 Solution

shivanshu1593
Builder

Hello @Aleena,

Yes. You'd have to install the application on your search head. Then modify the macros used in the SPLs to match with the Index, where you are storing the sysmon logs and let Splunk do the rest 🙂

Alternatively, you can always install the app on your test environment or local system and copy paste the searches from there, which sounds a bit tedious to me, frankly.

I highly recommend you to look into ES Content Update app as well. The use cases on different stages of Cybersecurity Kill chain, described in such an easy way will really intrigue you. They provide the use cases along with the SPL for them, as well as explain the attacks in the most generic manner under section "Explain it like I'm 5" in every alert.

Hope this helps. Let me know if you need more help with it,

Thanks!

S

Please mark it as answer if it helps you

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

shivanshu1593
Builder

I'd consider ingesting System monitoring (sysmon) logs, and then make use cases out of them. There's a great Splunk app ES Content Updates, which can give you various use cases along with SPL, based on different stages of kill chain. You can look into MITRE framework app, which will give you use cases, along with SPL regarding modern attacks.

Sysmon logs will go a long way for you to get deep insights into your Indexer. If your organization has an EDR, like Crowdstrike or Carbon black, I'd recommend installating that on your Indexer server. Also having an Antivirus solution on the server always helps.

Hope this helps.

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

Aleena
Explorer

Hi @shivanshu1593 

Thanks for your reply. yes i agree, MITRE framework is a very good solution for Detection of attacks.

For MITRE framework app, do i need to install the app to get the usecase along with SPL? 

Thanks in advance😊

0 Karma

shivanshu1593
Builder

Hello @Aleena,

Yes. You'd have to install the application on your search head. Then modify the macros used in the SPLs to match with the Index, where you are storing the sysmon logs and let Splunk do the rest 🙂

Alternatively, you can always install the app on your test environment or local system and copy paste the searches from there, which sounds a bit tedious to me, frankly.

I highly recommend you to look into ES Content Update app as well. The use cases on different stages of Cybersecurity Kill chain, described in such an easy way will really intrigue you. They provide the use cases along with the SPL for them, as well as explain the attacks in the most generic manner under section "Explain it like I'm 5" in every alert.

Hope this helps. Let me know if you need more help with it,

Thanks!

S

Please mark it as answer if it helps you

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

Aleena
Explorer

Hi @shivanshu1593 

Really appreciate your help. was impressed by your answers. sure will try to install ES content app. Thanks a lot. Have a nice day.

Regards,

Nafila Afrin

0 Karma

Aleena
Explorer

Thankyou very much. i really appreciate your help:)👍

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...