- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- What is the best way to simulate Attacks in Splunk...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the best way to simulate Attacks in Splunk?
Hi All,
I would like to know what is the best way to simulate attacks within my organisation.
I cannot use Virtualbox due to a licensing issue but I do have vmware.
All the tutorials online show how to use the attack range on virtaulbox but not on vmware.
Any help is much appreciated as this is vital to test our detections.
Thank all
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is complicate. You must understand what your detection are looking for. After you understand then look for corresponding CVE or TTP to compare with the detection and use isolate lab environment to monitor and test detection. Can be dangerous because CVE or TTP may be real.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your comment.
I fully understand the detection I am trying to test as it is based on off the MITREATT&CK TTP's.
I will be using Atomic Red to choose what TTP's I will be testing and the attack_range from github.
I can then forward the logs to our own Splunk instance to view them. The issue we have is with the license's.
Do I need a virtaulbox commercial license to run these tests as it will be used in a commercial environment, I am presuming yes as it seems obvious but I am not 100% sure, if this is case what is the best alternative solution.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for your response.
So by simulating attacks I mean to test my detections, testing the SPL rules I have in Splunk to detect anomoly's from the logs.
What I have been looking at so far is the splunk attack_range from github along with Atomic Red to test certain MITREATT&CK TTP's.
It will have to be a test environment that is totally on prem as we don't cloud access.
The tutorials I am referring to are the ones I have see on youtube where you install virtualbox on ubuntu and then test labs are automatically set up and destroyed for each ttp you are testing.
Yes I thought it would be easy enough to change from Virtualbox to VMWare but I can't find one video
I do have a VSphere where this can be run from as multiple people from our team need to have access to this lab
Please let me know what you would suggest as the best way to set this up
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
can you elaborate what you are meaning with "simulate attacks"?
And what are those tutorials which you are referring?
Usually it's quite easy/doable to change virtual box to VMware or something else which offer the same capabilities.
r. Ismo
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
